#1 2009-01-11 18:36

eR@SeR
Senior Member
From: Земун, Србија
Registered: 2008-01-23
Posts: 354

Windows XP issues/solutions

I have had a problem to update KAV 7, Ad-aware via their update module and also via their sites too (almost ubelievable). Read almost every forum for this problem also but almost nothing helped me sad I was desperate and was ready to format C:. Finally I've found one post where user tried Malwarebytes' and get ridded of that irritating problem. Many of users have this problem but this one has solved mine finally. Probably cause was Trojan.DNSChanger. Even KAV 7 couldn't detect it (I tought that I can rely on kaspersky). Here is scan log. I hope that this will help someone if he (would) have this really unusual problem.

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

26.12.2008 3:22:39
mbam-log-2008-12-26 (03-22-38).txt

Scan type: Quick Scan
Objects scanned: 55812
Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 18
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5e06398e-3017-467b-a399-18425a20f655} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0112b9ed-389a-40be-b860-e6f547749cfe}\DhcpNameServer (Trojan.DNSChanger) -> Data:85.255.116.117;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0112b9ed-389a-40be-b860-e6f547749cfe}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2fad24f9-6453-465b-974c-9f752069f5b6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2fad24f9-6453-465b-974c-9f752069f5b6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0112b9ed-389a-40be-b860-e6f547749cfe}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0112b9ed-389a-40be-b860-e6f547749cfe}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2fad24f9-6453-465b-974c-9f752069f5b6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2fad24f9-6453-465b-974c-9f752069f5b6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0112b9ed-389a-40be-b860-e6f547749cfe}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0112b9ed-389a-40be-b860-e6f547749cfe}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{2fad24f9-6453-465b-974c-9f752069f5b6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{2fad24f9-6453-465b-974c-9f752069f5b6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.117;85.255.112.190 -> Quarantined and deleted successfully.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

One more thing... It happens for ex. that mine taskbar freezes when I run some programs (ex. YuRecnik.exe - dictionary) then I cannot even restart computer via task manager or kill that process at all. Desktop responds but after a few clicks whole system is blocked. Then I have to shut it down via button mad Scanned with KAV 7, Ad-aware and Malwarebytes' (excellent anti-malware app) with latest updates and no viruses/malwares detected. Read almost every forum for this situation and none of that solutions helps. Does anybody know how to surmount this issue? I will be grateful.


TRUTH, FREEDOM, JUSTICE and FATHERLAND are the highest morale values which human is born, lives and dies for!

Offline

#2 2009-01-12 06:20

Andrew
Senior Member
Registered: 2008-05-22
Posts: 542

Re: Windows XP issues/solutions

eR@SeR, if http://www.malwarebytes.org/forums didn't help you, then register and post your HJT logs on either of these two forums:

http://forums.maddoktor2.com/index.php?showforum=17

http://forums.techguy.org/54-malware-re … kthis-logs

I'm sure you'll be able to clean your PC with their help. Only as a last resort should you look at formatting and/or reinstalling Windows. Also, ensure you have SP3 as well as a real-time AV and anti-malware program running at all times along with a good firewall. Even though this will slow down your PC a bit (exactly how much depends on your config of course), it's necessary nowadays if you're connected to the net.

KAV is rated highly, but I'm surprised it didn't detect this, esp. as the trojan is quite old. hmm I personally use Eset Nod32 AV 3.x and PC Tools Spyware Doctor 6.x (and my PC is clean for last so many years), though there are many free and paid tools available out there. Take your pick, but at least have something running. Also remember, keeping them updated is as much or more important than just installing them. I also schedule a once-a-week deep scan on Saturday night so that it doesn't interfere with my work.

Last edited by Andrew (2009-01-12 06:26)

Offline

#3 2009-01-14 01:42

eR@SeR
Senior Member
From: Земун, Србија
Registered: 2008-01-23
Posts: 354

Re: Windows XP issues/solutions

I'll consider your suggestions... It became so common and irritating mad

Also, ensure you have SP3 as well as a real-time AV and anti-malware program running at all times along with a good firewall. Even though this will slow down your PC a bit (exactly how much depends on your config of course), it's necessary nowadays if you're connected to the net.

I'm aware of this. KAV and Malwarebytes' (since 26.12.2008) run all the time but it's possible that I have some kind of malware or some 'memory alocating problem' since I have a lot installed software and HD is at the end of capacity too (250GB).
Btw I use most reliable protection, registry/file cleaning/formatting tools but sometimes that's not enough. XP simply needs that fragmentation surely every 3-4 months unfortunately sad

KAV is rated highly, but I'm surprised it didn't detect this, esp. as the trojan is quite old.

It happend several times that I sent files to newvirus@kaspersky.com and it turned out that's malware so everything is possible. Malwarebytes' probably, have their own database to detect malware. Here is their quotation:

Malwarebytes' wrote:

...Malwarebytes' Anti-Malware can detect and remove malware that even the most well known anti-virus and anti-malware applications fail to detect. Malwarebytes' Anti-Malware monitors every process and stops malicious processes before they even start. The Realtime Protection Module uses our advanced heuristic scanning technology which monitors your system to keep it safe and secure. In addition, we have implemented a threats center which will allow you to keep up to date with the latest malware threats.

Once, I have a virus and when I updated KAV he detected it. Who knows how much time was active as process hmm
There are stories that Eset Nod32 tools are more reliable - even beter heuristics then KAV (?) and uses less CPU resources which is truth...but I habituated to use KAV and thats it roll

I used PC Tools Spyware Doctor (v4 or v5 - one year ago) together with KAV 5, but uses too much CPU resources... Not recommended combination definately. big_smile

Also remember, keeping them updated is as much or more important than just installing them.

That is by default. It happens that KAV for a week add to their database over 10000 malwares. And a sum of malwares is rather large. If you didn't update your database for 2 days then it's obsolete... That speaks for itself!


TRUTH, FREEDOM, JUSTICE and FATHERLAND are the highest morale values which human is born, lives and dies for!

Offline

Board footer

Powered by FluxBB