GeekPolice Tech TutorialsLog in

 

Trojan.DNSChanger and SearchScopes

Share

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
Are you still getting the popups? Could you post the last ten lines of the log?

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
14:05:02.0854 0x2258 ================ Scan global ===============================
14:05:02.0900 0x2258 [ 243F54DBA6EB48A369CA465E263ABA4A, 9D9F9DE783D000F3EA130EB68FD71319F21E4F1CD4232FB8B2F8A9A67E08F5F4 ] C:\Windows\system32\basesrv.dll
14:05:02.0944 0x2258 [ EAB311B0A7A8EA0346F14F08D4BC8F46, 11168E4074679F8A69DA714C0ABD0C68BA49D171B379343F14783C9C563202CA ] C:\Windows\system32\winsrv.dll
14:05:02.0987 0x2258 [ 3600ED7EA8AED849E20700551C0BD63B, 4A8C346C1646E80B58EF93F87F915A41E05CA2E993BB1C96955AE62A0669AF66 ] C:\Windows\system32\sxssrv.dll
14:05:03.0029 0x2258 [ 5BF02EBEFEDC706318C96E2E60EDCB91, DC866C5BC3A887CAAA7169AB9BB2992F6F877B3EA04B62B4F95B6BD54943155F ] C:\Windows\system32\services.exe
14:05:03.0043 0x2258 [ Global ] - ok
14:05:03.0045 0x2258 ================ Scan MBR ==================================
14:05:03.0063 0x2258 [ 5FB38429D5D77768867C76DCBDB35194 ] \Device\Harddisk0\DR0
14:05:03.0111 0x2258 \Device\Harddisk0\DR0 - ok
14:05:03.0132 0x2258 [ 5FB38429D5D77768867C76DCBDB35194 ] \Device\Harddisk1\DR1
14:05:03.0138 0x2258 \Device\Harddisk1\DR1 - ok
14:05:03.0141 0x2258 ================ Scan VBR ==================================
14:05:03.0149 0x2258 [ F349D616FC879D42E62A08BA18D53153 ] \Device\Harddisk0\DR0\Partition1
14:05:03.0175 0x2258 \Device\Harddisk0\DR0\Partition1 - ok
14:05:03.0192 0x2258 [ 6B3604872C1D0AB6EEF9E8F55E6C8275 ] \Device\Harddisk0\DR0\Partition2
14:05:03.0207 0x2258 \Device\Harddisk0\DR0\Partition2 - ok
14:05:03.0223 0x2258 [ A4425078424A8B22CA8325A649C43F11 ] \Device\Harddisk0\DR0\Partition3
14:05:03.0223 0x2258 \Device\Harddisk0\DR0\Partition3 - ok
14:05:03.0235 0x2258 [ C257F49A886D0C4FE22B2F67905CF952 ] \Device\Harddisk0\DR0\Partition4
14:05:03.0253 0x2258 \Device\Harddisk0\DR0\Partition4 - ok
14:05:03.0283 0x2258 [ 3F6D5BA1AABA1244C5E896B49006D81A ] \Device\Harddisk0\DR0\Partition5
14:05:03.0298 0x2258 \Device\Harddisk0\DR0\Partition5 - ok
14:05:03.0307 0x2258 [ 809537E426045146AF9D29A2EF90F984 ] \Device\Harddisk1\DR1\Partition1
14:05:03.0310 0x2258 \Device\Harddisk1\DR1\Partition1 - ok
14:05:03.0312 0x2258 ================ Scan generic autorun ======================
14:05:03.0374 0x2258 [ 0B091BD3E8F6BD5F985DE8E3DF17D837, 7082AFB9EE8EE2EAAAFA0DB129505117E2BA1D7059B193E0DEF514080F77D1BE ] C:\Windows\system32\igfxtray.exe
14:05:03.0389 0x2258 IgfxTray - ok
14:05:03.0442 0x2258 [ 1ECC8D5528F535EC6CECFB824B349418, 4035CD388A437F1564C6E4E86787756CF196CD0DFDDAD4DAFABDB583D370FF4F ] C:\Windows\system32\hkcmd.exe
14:05:03.0468 0x2258 HotKeysCmds - ok
14:05:03.0533 0x2258 [ 1B8C1C4B77BE157E322A05118A2E25E1, 978C8A511544DE5BC7BCB31B675356E8E764EFC435BCCDF360C8635668D6B072 ] C:\Windows\system32\igfxpers.exe
14:05:03.0559 0x2258 Persistence - ok
14:05:03.0883 0x2258 [ 586154542F56C285E6F53E4727928780, 7D009AE4310DF49492D20F3363C0A21A1461A6948809883266027D86A1EE87D5 ] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
14:05:04.0259 0x2258 RTHDVCPL - ok
14:05:04.0279 0x2258 SynTPEnh - ok
14:05:04.0339 0x2258 [ D0B542256A968DFCB8896C140FCE6047, 3F92A9871B521BCCCDFE6D9BFF88930B26C5DB86F6F6578554A3F2ECC5C5EBA0 ] C:\Program Files\iTunes\iTunesHelper.exe
14:05:04.0350 0x2258 iTunesHelper - ok
14:05:04.0355 0x2258 3D BubbleSound - ok
14:05:04.0502 0x2258 [ E2043ABD9E13E1B7BF74B1D05E15AA47, B59953E4F2392858601551A4FA2024742B99E6AF48D71C3155548C97E25A1FA9 ] C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe
14:05:04.0538 0x2258 HPMessageService - ok
14:05:04.0778 0x2258 [ 4CDF90E852837C827C855F8E8E2C5FE2, 1918CE3A880E2067D52C538096DA2D35DFCA2D742E2ED370CF2DFE22840024FD ] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe
14:05:04.0977 0x2258 Intuit SyncManager - ok
14:05:05.0048 0x2258 [ 34D296AFC913E302953C70463EF09A48, BC413307CBC56C039EE8A05B51A56E14EF59678FBB33815AEB320078056C8CE7 ] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
14:05:05.0054 0x2258 HP Software Update - ok
14:05:05.0198 0x2258 [ 22F7B9670AD770C7ED7F4738204C8E5C, 7B793AC094CB1B073419B5DAE09DFBB8EBED03D29301F490AA76EA0667613438 ] C:\Program Files\HP\HP Officejet 6600\Bin\ScanToPCActivationApp.exe
14:05:05.0279 0x2258 HP Officejet 6600 (NET) - ok
14:05:05.0305 0x2258 Skype - ok
14:05:05.0459 0x2258 [ ACD929D8754B63BBBB68B48B96F8A99E, E4DD488BA151AAB58FC00458F69D5A7AC191BA488F2BDAF88BE432C24250AF94 ] C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe
14:05:05.0537 0x2258 Advanced SystemCare 8 - ok
14:05:05.0643 0x2258 [ CE9806603D3C635EA6E0BB79FE916D2E, E544A661AF49DF835D27748B75D2DC36CAA2A224CB385B406D32FC541B12C6C4 ] C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
14:05:05.0671 0x2258 GoogleChromeAutoLaunch_D767CAD71DA7DD1CDFD0D3EF6D1B23BA - ok
14:05:05.0677 0x2258 Waiting for KSN requests completion. In queue: 75
14:05:06.0677 0x2258 Waiting for KSN requests completion. In queue: 75
14:05:07.0677 0x2258 Waiting for KSN requests completion. In queue: 75
14:05:08.0678 0x2258 Waiting for KSN requests completion. In queue: 75
14:05:09.0735 0x2258 AV detected via SS2: Windows Defender, C:\Program Files\Windows Defender\MSASCui.exe ( 4.7.205.0 ), 0x61100 ( enabled : updated )
14:05:09.0742 0x2258 Win FW state via NFP2: enabled
14:05:29.0743 0x2258 ============================================================
14:05:29.0743 0x2258 Scan finished
14:05:29.0743 0x2258 ============================================================
14:05:29.0772 0x224c Detected object count: 0
14:05:29.0772 0x224c Actual detected object count: 0
14:10:43.0627 0x2180 Deinitialize success

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
What's the status of the computer now?

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
==================================
08:25:13.0710 0x2b94 [ F349D616FC879D42E62A08BA18D53153 ] \Device\Harddisk0\DR0\Partition1
08:25:13.0741 0x2b94 \Device\Harddisk0\DR0\Partition1 - ok
08:25:13.0757 0x2b94 [ 6B3604872C1D0AB6EEF9E8F55E6C8275 ] \Device\Harddisk0\DR0\Partition2
08:25:13.0772 0x2b94 \Device\Harddisk0\DR0\Partition2 - ok
08:25:13.0788 0x2b94 [ A4425078424A8B22CA8325A649C43F11 ] \Device\Harddisk0\DR0\Partition3
08:25:13.0788 0x2b94 \Device\Harddisk0\DR0\Partition3 - ok
08:25:13.0788 0x2b94 [ C257F49A886D0C4FE22B2F67905CF952 ] \Device\Harddisk0\DR0\Partition4
08:25:13.0819 0x2b94 \Device\Harddisk0\DR0\Partition4 - ok
08:25:13.0851 0x2b94 [ 3F6D5BA1AABA1244C5E896B49006D81A ] \Device\Harddisk0\DR0\Partition5
08:25:13.0866 0x2b94 \Device\Harddisk0\DR0\Partition5 - ok
08:25:13.0872 0x2b94 [ 809537E426045146AF9D29A2EF90F984 ] \Device\Harddisk1\DR1\Partition1
08:25:13.0875 0x2b94 \Device\Harddisk1\DR1\Partition1 - ok
08:25:13.0876 0x2b94 ================ Scan generic autorun ======================
08:25:13.0929 0x2b94 [ 0B091BD3E8F6BD5F985DE8E3DF17D837, 7082AFB9EE8EE2EAAAFA0DB129505117E2BA1D7059B193E0DEF514080F77D1BE ] C:\Windows\system32\igfxtray.exe
08:25:13.0945 0x2b94 IgfxTray - ok
08:25:13.0976 0x2b94 [ 1ECC8D5528F535EC6CECFB824B349418, 4035CD388A437F1564C6E4E86787756CF196CD0DFDDAD4DAFABDB583D370FF4F ] C:\Windows\system32\hkcmd.exe
08:25:14.0007 0x2b94 HotKeysCmds - ok
08:25:14.0085 0x2b94 [ 1B8C1C4B77BE157E322A05118A2E25E1, 978C8A511544DE5BC7BCB31B675356E8E764EFC435BCCDF360C8635668D6B072 ] C:\Windows\system32\igfxpers.exe
08:25:14.0115 0x2b94 Persistence - ok
08:25:14.0471 0x2b94 [ 586154542F56C285E6F53E4727928780, 7D009AE4310DF49492D20F3363C0A21A1461A6948809883266027D86A1EE87D5 ] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
08:25:14.0767 0x2b94 RTHDVCPL - ok
08:25:14.0783 0x2b94 SynTPEnh - ok
08:25:14.0830 0x2b94 [ D0B542256A968DFCB8896C140FCE6047, 3F92A9871B521BCCCDFE6D9BFF88930B26C5DB86F6F6578554A3F2ECC5C5EBA0 ] C:\Program Files\iTunes\iTunesHelper.exe
08:25:14.0830 0x2b94 iTunesHelper - ok
08:25:14.0939 0x2b94 [ E2043ABD9E13E1B7BF74B1D05E15AA47, B59953E4F2392858601551A4FA2024742B99E6AF48D71C3155548C97E25A1FA9 ] C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe
08:25:14.0971 0x2b94 HPMessageService - ok
08:25:15.0209 0x2b94 [ 4CDF90E852837C827C855F8E8E2C5FE2, 1918CE3A880E2067D52C538096DA2D35DFCA2D742E2ED370CF2DFE22840024FD ] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe
08:25:15.0506 0x2b94 Intuit SyncManager - ok
08:25:15.0573 0x2b94 [ 34D296AFC913E302953C70463EF09A48, BC413307CBC56C039EE8A05B51A56E14EF59678FBB33815AEB320078056C8CE7 ] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
08:25:15.0583 0x2b94 HP Software Update - ok
08:25:15.0723 0x2b94 [ 22F7B9670AD770C7ED7F4738204C8E5C, 7B793AC094CB1B073419B5DAE09DFBB8EBED03D29301F490AA76EA0667613438 ] C:\Program Files\HP\HP Officejet 6600\Bin\ScanToPCActivationApp.exe
08:25:15.0803 0x2b94 HP Officejet 6600 (NET) - ok
08:25:15.0823 0x2b94 Skype - ok
08:25:15.0973 0x2b94 [ ACD929D8754B63BBBB68B48B96F8A99E, E4DD488BA151AAB58FC00458F69D5A7AC191BA488F2BDAF88BE432C24250AF94 ] C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe
08:25:16.0073 0x2b94 Advanced SystemCare 8 - ok
08:25:16.0173 0x2b94 [ CE9806603D3C635EA6E0BB79FE916D2E, E544A661AF49DF835D27748B75D2DC36CAA2A224CB385B406D32FC541B12C6C4 ] C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
08:25:16.0203 0x2b94 GoogleChromeAutoLaunch_D767CAD71DA7DD1CDFD0D3EF6D1B23BA - ok
08:25:16.0203 0x2b94 Waiting for KSN requests completion. In queue: 135
08:25:17.0209 0x2b94 Waiting for KSN requests completion. In queue: 135
08:25:18.0210 0x2b94 Waiting for KSN requests completion. In queue: 135
08:25:19.0223 0x2b94 Waiting for KSN requests completion. In queue: 135
08:25:20.0256 0x2b94 AV detected via SS2: Windows Defender, C:\Program Files\Windows Defender\MSASCui.exe ( 4.7.205.0 ), 0x61100 ( enabled : updated )
08:25:20.0271 0x2b94 Win FW state via NFP2: enabled
08:25:32.0797 0x2b94 ============================================================
08:25:32.0797 0x2b94 Scan finished
08:25:32.0797 0x2b94 ============================================================
08:25:32.0812 0x2b8c Detected object count: 0
08:25:32.0812 0x2b8c Actual detected object count: 0


Just finished running TDSSKiller. Nothing found, but I still have pop-ups

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/20/2015
Scan Time: 9:20:15 AM
Logfile:
Administrator: Yes

Version: 2.01.4.1018
Malware Database: v2015.04.20.03
Rootkit Database: v2015.03.31.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Michelle

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 356563
Time Elapsed: 32 min, 5 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 1
Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{5EA0F310-66E7-47DE-8308-90A94C0279A0}|NameServer, 31.168.228.251,82.166.96.251, Good: (), Bad: (31.168.228.251,82.166.96.251),,[e6edbcb2e8a294a29d3d4cb8bb4b44bc]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

This is the same item I've had since the beginning

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
# AdwCleaner v4.201 - Logfile created 20/04/2015 at 10:15:08
# Updated 08/04/2015 by Xplode
# Database : 2015-04-19.4 [Server]
# Operating system : Windows 8.1 (x64)
# Username : Michelle - MICHELLE-LAPTOP
# Running from : C:\Users\Michelle\Downloads\adwcleaner_4.201.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Found : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\VCL

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

#NAME?


-\\ Mozilla Firefox v37.0.1 (x86 en-US)


#NAME?


*************************

AdwCleaner[R0].txt - [725 bytes] - [20/04/2015 10:15:08]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [783 bytes] ##########

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
Is it affecting the operation of your computer?

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
What do you mean?

I cannot run Chrome properly without pop-ups

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
DarrenC wrote:
What do you mean?

I cannot run Chrome properly without pop-ups

Does it happen with other browsers?

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
Just Chrome

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
There is something amiss with Chrome. Did you try uninstalling and reinstalling it?

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
Yup. Tried that on page 2 =(

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
Do you have any Add-ons in Chrome. It appears the something in Chrome is causing these pop-ups.

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
There are no add-ons or anything in any browser. The adds in Chrome seem to be coming from "CloudScout" but there is nothing evident in my installed programs or anything. I changed my DNS back to be automatically obtained and there was one in there (I assume was changed by the DNSChanger that MBAM keeps finding) but I still have the ads and pop-ups

descriptionRe: Trojan.DNSChanger and SearchScopes

more_horiz
This is a puzzler. Let's try running this. In the meantime, I will have a colleague take a look at this thread.

Please download RenewMyDNS by DragonMaster Jay.

•Save it to your Desktop.
•Right-click on the file and select Extract All...
•Choose a location to save extracted files and keep pressing Next until Finished.
•Double-click RenewMyDNS folder, then double-click RenewMyDNS.bat to start the program.
•Follow the prompts, and when finished it will launch a log.
•Post that log in your next reply.
•After posting the log, delete the folder RenewMyDNS.
Permissions in this forum:
You cannot reply to topics in this forum