Dns Changer / Dns Updater / E.exe Threat!!!

I let my girlfriend who knows squat about pcs use mine last night. She started typing in my Mozilla address bar last evening, and words started typing backwards. So the word "Pizza" came out as "aizzP". I thought she might have pressed something wrong on the keyboard so I restarted Firefox, which solved the problem. When she was done using my pc a grey windows prompt message came up stating that Adobe Acrobat or something related to Adobe couldn't run and resulted in an error. I wasn't even running Adobe and rarely do [I probably run it three times a month to view pdf files].

Than all of a sudden a small yellow balloon popped up in my systray that said "Windows virtual memory is low, increasing page file". I figured there must be some sort of memory leak, so I tried to restart my pc. Before the restart took place, my computer gave me yet another grey windows prompt error message that said "error memory 820029010111xxx" with a whole bunch of numbers [I just made those numbers up]. My pc finally restarted... When it did, something happened that has never happened before.

I use high speed dsl to get on the internet so if a program has to access the net it will ask me to do so beforehand. Anyways a network connection prompt window notified me that an application named DnsUpdater was trying to gain access to the internet at www.dnscheckin.com. Which is weird because nothing ever tries to run when my pc boots up other than my sound manager, and antivirus. I quickly canceled that internet network connection request, and checked my startup programs in an System Mechanic 4, which is an application I use to enable/disable start up entries. To my surprise I now saw an extra startup entry I had never seen before that appeared in the following manner:

Progam Name: DnsUpdater
Command Line: C:\Program Files\Common Files\e.exe
Startup Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

I don't even know what a DnsUpdater is, and how this has tried to run on boot. But anyways, I quickly disabled that startup item, and scanned my pc with my ESET Antivirus. As well as scans with Spybot Search & Destroy, Malwarebytes Antimalware, and Trend Micro's Online Housecall scanner at www.trendmicro.com. They all found absolutely nothing wrong with my pc, and claimed my pc was 100% clean.

I doubt this because I went to my "C:\Program Files\Common Files" folder and seen a file named "e.exe" that uses an amateur made icon which looks like a blue circle with a white checkmark in it. It definitely looks like someone made the icon themselves, not some sort of a polished application. The "e.exe" file is small in size. I believe under 1mb...

Other symptoms:

I also notice That I have 8 svchost.exe processes when I press ctrl+alt+del to check for running processes. That's weird because that's a lot of running processes for that same name. I don't remember seeing that many but I could be wrong.

Found a running process called "dnsresponder" or "mdnsresponer" when checking the task managers processes tab. [ie: ctrl+alt+del]

When I'd type a site such as www.youtube.com in Firefox I'd be redirected to a malicious looking website with advertising and adult type material.

I couldn't download the latest updates for Malwarebytes Antimalware until I rebooted the pc

I found an entry in add/remove programs for "DNS Changer" which only had the option to remove it. But I didn't do so for fear of triggering some ill affect.

--------------

Everything I mentioned above related to this problem seemed to stop after I disabled the DnsUpdater startup entry in my System Mechanic's startup manager. Regardless of this I still went ahead and read the read me/run me section of this malware forum to run all scans required.

Just so you know, when I did run all the scans I made sure the DnsUpdater startup entry was enabled. That way I thought if it were active, one of majorgeeks suggested scans would find it and try to remove it. From what it looks like to me Combofix seemed to remove it. I no longer see the "e.exe" file in "C:\Program Files\Common Files", and the startup entry is no longer in System Mechanic's startup manager. It seems as if they both ended up in the Combofix quarantine if I'm not mistaken... I didn't look in the actual quarantine but the folder does say the word "e.exe" when I hover the mouse over the Combofix quarantine folder. [ie: some sort of folder named "Qoobox" is where the quarantine folder is located. I think that's Combofixes]

ANYWAYS WITHOUT FURTHER ADUE HERE ARE MY LOGS! THANK YOU VERY MUCH CHASLANG OR ANYONE THAT ANSWERS. YOU ARE THE UNSUNG HEROES OF THIS WEBSITE WHO RARELY GET THE GRATITUDE YOU REALLY DESERVE FOR YOUR TIME WELL SPENT HELPING OTHERS. THANK YOU VERY MUCH. HOPEFULLY MY SCANS SHOW I'M CLEAN NOW... HERE GOES NOTHING!

 

Here's the other logs attached to this post... Thanks again for your support I cannot stress how much I thank you for all of your hard work. I use this pc for personal business and family, so I need it to be clean! Thanks...

OTHER PROBLEMS!
Oh by the way I get some weird grey prompt box window when I restart my pc that has a weird character in it that doesn't look english. It pops up right before I enter my pc password to login to my admin account. All it has is an "Ok" button, and without pressing it I cannot type my password to login. I think it has something to do with Combofix installing the windows recovery console, because it didn't happen before with other scans or when I restarted my pc before, even during this whole issue I need help for.

 

Here's the new Combofix log, and the new Mglogs.zip. I can't stress how much of a help you've been so far. I've been waiting days for a reply, and need to use my pc urgently but can't until I know I'm in the clear.

As for the added issue I told you about before, of a prompt window coming up when I boot up my pc during the logon password screen. Well here are two screenshots of this issue:

http://i32.tinypic.com/2qitcts.jpg

http://i25.tinypic.com/2q9gojk.jpg

I never had this problem before, even when I first realized that my pc was infected. This only started happening after I did the procedures you guys ask everyone to run in the RUN AND READ ME BEFORE POSTING. Just so you know the gibberish in the window prompt always changes on every reboot [ie: some foolishness in the bluebar, and one weird character in the grey box section]. I can't put my user logon password for Windows Xp until I press the "Ok" button on that prompt. Oh and when I just ran Combofix to get the new log you asked me for, my pc restarted on it's own and that prompt DIDN'T COME UP! But than when I ran the MGtools.bat file you asked me to run, I restarted my pc just to see if it was really gone. & that's when I saw the prompt yet again. Which leads me to believe that MGTOOLS is behind this issue! But how do I resolve that?

I hope you can let me know if the infection I started this thread for is gone, and also how to get rid of this prompt window. Anyways I hope my logs are clean now...


THANK YOU

 

Ok I've done everything except two things:

A) I didn't remove Rootrepeal because I found no uninstaller in add/remove... I suppose it's just a standalone application so can I just delete it sir?

B) I didn't flush my System Restore just in case because of the following two reasons below.


I ran into two problems during the uninstall of all the tools:

1) After uninstalling Combofix I went to add/remove to uninstall Hijackthis. When I tried to remove it I got a message prompt that said

I CHOSE YES. Hope that was the right choice to make since I didn't find any trace/folder for HijackThis in my "C:\Program Files" folder beforehand.

2) I STILL GET THAT WINDOW PROMPT MESSAGE AS PER MY PREVIOUS POST DURING EVERY WINDOWS LOGON SCREEN!!! I'm starting to think that it has something to do with Windows Recovery Console which is still on my system, and was installed by Combofix during my first log scans when I came to this forum. I never had Windows Recovery Console on my system before. Just so you know after it was installed Windows Recovery Console shows up when I turn on my pc but doesn't stop to let me chose anything. It blinks quickly for about 1 second, and than proceeds to boot me to the logon password screen for Windows XP. Which is where I get that weird window prompt message with gibberish. I actually filmed the period when Windows Recovery Console flashes quickly when I turn my pc on with my camera. While viewing the video back in slow mode I can clearly see that it has no timer number next to "Seconds Until Highlighted Choice Will Be Selected". I honestly think Windows Recovery Console is causing this whole issue... Maybe it installed itself wrong? I followed all the correct Combofix instructions when it installed. I had the instructions from bleeping computer printed out on hand. I didn't deviate from the instructions at all.


Once again thank you for your valuable time sir.

 

Update:

I took the liberty of finishing the last three steps... I Googled Rootrepeal and found out it is a standalone application so I deleted that, ran CCleaner as per your link, and toggled my System Restore... Funny thing is When I re enabled System Restore and rebooted I DIDN'T see that weird prompt during log on. So I rebooted again to be sure, and there it was again! I dunno what this could be. I'm sure it probably has something to do with Windows Recovery Console. Or something else has infected me! But how so? This never showed up until I ran those scanning tools you guys ask in the "Run & Read Me Before Posting". I'm going to try and remove Windows Recovery Console, maybe that'll help.

Anyways hopefully you can help me fix this issue. Thank you for your time.

 

Update 2:

Okay well I removed Windows Recovery Console as per instructions here:

http://support.microsoft.com/kb/307654 [Scrolll down to the removal section]

The removal of Windows Recovery Console went fine. Except for the fact that I had a hard time removing the "Cmdcons" folder during the removal process because the contents inside were supposedly locked/in use according to an annoying prompt message I kept getting. So I had to use Malwarebytes Anti-malware's tool "Fileassassin" to delete every single locked file in that folder one by one. I was able to remove the contents/files, but not the folder itself! Even now as we speak the folder is now empty though still locked on my pc and cannot be removed. Anyways even so, I still got that weird prompt during the XP password log on screen. So I tried to use System Mechanic which I've used for years, and ran it to do a routine registry cleaning. The prompt still came up after that when I rebooted!

I than tried to run my pc in Safe Mode to see if I could remove that empty "Cmdcons" folder, and was surprised to finally see some sort of english during the weird prompt message I've been getting all along during the Windows XP log on password screen. I took a picture of it for you...

I'M GOING NUTS HERE, PULLING MY HAIR OUT! I refuse to use my pc normally until I can fix this stuff, for fear that I may become reinfected or worse.


Thanks

http://i25.tinypic.com/28bvha0.jpg

 

Here's my Avenger, and Mgtools logs... By the way I didn't have to do this step you mentioned:

I didn't have to do that since I had already uninstalled MGtools before. So when I just downloaded it, and ran the exe now as per your recent link. MGtools ran on it's own and just created the zip with logs when it was finished. So I guess that was the same thing...

By the way after running Avenger and it doing an auto reboot I STILL got the weird pop up message during Xp's password log on. This time it's saying something else in the blue section of the prompt window bar with all the gibberish words:

Thank you once again for your help, this problem is very annoying. I've lost 4 days of pc usage due to all of this downtime. I sincerely appreciate your work Tim.

 

I'll do that right now and post when I'm done. Thank you so much Tim for your time. I'm sorry if I'm using up your personal time with family, friends, hobbies, work, etc. I'll post back as soon as this Bitdefender stuff is done...

Thank you again...

 

Sounds great thanks! One problem... I visited the Bitdefender website link you gave me... Clicked on Scan, than a small internet window popped up, after that the small internet window asks me to install an active x object [which I agree to], and than a new window pops up asking me to choose install/don't install Bitdefenders online scanner [which I hit "install" to]. Than the previous small internet window changes to show where you can let the scan check your entire pc, or choose specific areas. During that time I get a pop up prompt message that says:

I also see a small warning in the corner of the small internet explorer window. If I double click, it tells me that the active x isn't authorized, etc.

I can still see the "Scan" button... Should I still scan even though I get this issue?

 

Thanks for your quick replies!

I'll see if the Bitdefender scan works anyways... I just checked for TDSSserv.sys as per your instructions and I didn't find it in my device manager. I'll run that SysClean after I do the Bitdefender scan if it runs. If I run into a problem I'll post back.


Thanks again sir MIGHTY TIM!

 

I tried to click on the scan button for Bitdefender but it didn't run at all... I guess they need to air out their online issues with their active x controls.

I did download Sysclean and ran everything as per your instructions. I've attached the "Sysclean.log" for you with this post. Just so you know Sysclean generated another log which is named "Report.log". Though I don't know if you want that log too.

After running everything the first time the other day and having you tell me to uninstall everything I had uninstalled SUPERAntiSpyware along with everything else. So that is no longer on my system, and hasn't been for a while. It doesn't exist as a start up entry anymore.

I guess it's out of the question for me to do that now.


Thanks again Tim... I bet your starting to get furious with this problem too! & hey I don't blame you! I'm right here in the battlefield with you man, we need to shake this attack full force! I'm ready to do anything you ask me to. This is so crazy... I have intermediate pc knowledge... I build em, and know software really well. Heck I'm so paranoid that I physically clean my pc inside weekly, defragment every two days, run anti virus/malware scans twice a week, clean my registry twice a week, and use ccleaner everyday. I have no idea how my pc has become a warzone.

 

Should I restore that file from Avenger???

Was that malware/spyware/virus related?

Thanks I'll try disabling everything other than ms programs. Brb with my results. It's just odd I never had this happen in the four years I've had this pc... It all happened when I ran the RUN & READ ME scans. & yes it does happen during safe mode.

 

Update:

This is the only person I have been able to find on the net that has the same problem I'm having. This is exactly what I'm going through...

http://www.members.shaw.ca/sudsyrocks/misc/winboot.html

 

Update 2:

I did some research for hours last night until I fell asleep in my chair. These are all the supposed fixes I was able to find through google on this link:

http://techrepublic.com.com/5208-6230-0.html?forumID=101&threadID=239060&messageID=2328061

The one above is apparently the one that worked for most people.

The problem is most of these steps seem quite advanced, and they don't really go into exact detail on how to do some of them. The other problem is that some of those fixes have steps to do them on Windows Xp Professional, not Home which is what I have.

Now that I have done much of the legwork for this issue maybe you can guide me from here Tim thanks! Oh and I will admit like I said in my first post in this thread, I did get a "Windows virtual memory is low, increasing page file" yellow balloon message when my first infection took place. So it could be related to that like one of those fixes mentions. & I won't lie, but I have in the past gotten that message quite a lot usually while using the memory hog eating program Adobe Photoshop.

 

I tried a couple methods...

1. I set my pagefile to clear on boot via registry value which didn't stop that weird message.

2. I tried eliminating and recreating my pagefile and that did nothing as well.


Yah I restored that file from Avenger... Thanks for your help I guess I'll try what you just suggested now, and if that doesn't work post in the software forum. This is real annoying and it just doesn't make me feel safe.

 

You were absolutely right with that hunch... I set msconfig to diagnostic mode and the message didn't come up at all.

I'll now try to add services one by one in diagnostic mode to see if anything triggers it and let you know.

Thanks Tim!:wave

I'm starting to feel much better...

 

No offense to you or anything like that but my autoplay doesn't work anymore either with anything I plug into my pc's usb ports. I have a STRONG suspicion that either Combofix or Mgtools made all of this stuff happen on my pc. I know I know you use it at your own discretion. But I still have to say that none of this happened until I used those two scanners. Which one of those two actually did it? I don't know... I know Combofix took that virus off my pc because I saw it visually gone after wards. But man the problems I have to deal with now are worse. I just had to download a file called autofix.exe from microsoft to re-enable one of my external drives autoplay. Apparently some of the registry keys were changed to disable autoplay. Now this also makes me believe that one of those scanners I had to run made changes to my registry it shouldn't have made. That is probably why I'm getting this weird message when I logon to Windows Xp too. The autofix.exe showed some problems with policies??? Group policies or something like that it fixed. Here's the log:

 

I unfortunately had to use Acronis True Image for the first time to restore my pc to a previous date. Luckly I had an image backup of my O/S. It saved my BACON!

Quick question about the scans you made me do.

During the scans you asked me to run Combofix. Combo fix asked me to install the Windows Recovery Console. I was just wondering does installing the Windows Recovery Console alter the MBR / Track 0 on a hard drive???? Because if so I'll have to restore my MBR if I can find a backup...