I previously posted this problem on a similar topic here
http://forum.avast.com/index.php?topic=62582.msg528317#msg528317
but have been advised to start a new topic instead, so here it is.

The problem I am experiencing is, that Avast is detecting threats (specifically a “Win32:DNSChanger-VJ[Trj]”) in PROCESSES “svchost.exe” AND “explorer.exe”, and there seems to be no option to delete, repair, send to chest, or otherwise remove the infection.

I am running Avast 5.0.677, virus definitions version 100915-1 on Windows XP Pro, Service Pack 3.
Lavasoft Ad-Aware is usually running in the background, and I manually scan with MBAM and SuperAntiSpyware once or twice a week.

The first sign of a problem occurred on Sept. 14th, when clicking links on Google search results would re-direct the browser to other websites (ad sites, gaming sites, etc).

Scanning with MBAM and SuperAntiSpyware didn’t show any results then (all clean), but Avast reported a Win32:DNSChanger-VJ[Trj] in Process “svchost.exe” with no options other than the “move to chest” on the “apply to all” window, but the “Apply” button seemed disabled.

I rebooted, hoping to re-scan and perhaps fix the issue, but received a BSOD (0x0000007B) on both normal, last known good configuration, and safe mode boot attempts. Booting from an Ultimate Boot CD for Windows, showed that the C: drive letter had been changed to D:, and my secondary (storage only) hard drive was now marked as drive C:
Removing the secondary hard drive restored the correct drive letter C: to the system disc, and fixed the BSOD issue at least long enough to update all virus definition databases.

I started to re-scan, but then got hit with the “Anti-Virus 2010” pop-up, so I immediately terminated my Internet connection and set to remove all traces of the “Anti-Virus 2010”.
A full MBAM scan (log available if necessary) found, quarantined and removed “C:\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus2010)”, and there was no problem with rebooting.

Then I ran a full scan with Avast, and this time I received two (2) reports of the
“Win32:DNSChanger-VJ[Trj]”
The first one in Process 1088 [svchost.exe], and a second one in Process 1576 [explorer.exe] BOTH reported in memory block 0x00000000001A0000, block size 81920, Severity: High and again no way to delete, repair, move, etc.

I followed the instructions of essexboy here
http://forum.avast.com/index.php?topic=53253.msg451454#msg451454
yesterday (15 September), and the MBAM Quick Scan showed the SAME “C:\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus2010)” infection that was previously supposed to have been deleted under the full scan. I chose “delete” once more, but this time rebooting resulted in the BSOD once again, with the exception however, that the drive letter had NOT changed, and a second re-boot was normal this time.

On start-up this morning (16 September), the computer booted normal, and I was able to get online and update all the virus databases (MBAM, SAS, Ad-Aware and Avast) to their newest version.

MBAM, SAS, and Ad-Aware scans all came back clean, but Avast scans are still reporting the SAME TWO (2) “Win32:DNSChanger-VJ[Trj]” infections in PROCESS “svchost.exe” AND “explorer.exe”, in the SAME memory blocks (0x0000000001A0000 block size 81920 for both), and the only thing that has changed are the reported Process numbers which are now “Process 1168 [svchost.exe]” (previously Process 1088), and “Process 1632 [explorer.exe]” (previously Process 1576).

I also ran another OTL scan today, but just as yesterday it created ONLY the “OTL.Txt” file and NO “Extras.Txt”

I’m once again attaching the OTL.Txt and today’s MBAM scan log here, hoping that someone may be able to give me some help or advice on how to get rid of the Process threats reported by Avast (I really don’t think they are false positives, considering the original problem of browser re-directs still exists).

Any kind of help or advice (short of reformatting and re-installing Windows) would be greatly appreciated.

Hi there lets give this a whirl

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Okay, I finally managed to get the ComboFix log for you. Sorry this took so long, but I ran into a few snags along the way. First I had trouble re-establishing an Internet connection to let the Recovery Console be downloaded and installed. Finally got that done, and ComboFix started to scan, but after just a few seconds I got a mssage saying (quote) “ComboFix has detected the presence of rootkit activity and needs to reboot the machine” (end quote).
It rebooted to a desktop with no icons on it whatsoever (little heart-attack moment), but finished the scan without further interruptions.
The only thing is, when it rebooted after finishing the scan, and before it created the log file, Avast and Ad-Aware which I had previously turned off as instructed, started up on this reboot (both are set to start automatically when Windows starts). So I don’t know if the log file that ComboFix created (with both Avast and Ad-Aware running in the background) is valid or not.
I’ve attached it here anyway, but let me know please if need to re-run the scan with Avast and Ad-Aware disabled at start-up.