I previously posted this problem on a similar topic here
http://forum.avast.com/index.php?topic=62582.msg528317#msg528317but have been advised to start a new topic instead, so here it is.
The problem I am experiencing is, that Avast is detecting threats (specifically a "Win32:DNSChanger-VJ[Trj]") in PROCESSES "svchost.exe" AND "explorer.exe", and there seems to be no option to delete, repair, send to chest, or otherwise remove the infection.
I am running Avast 5.0.677, virus definitions version 100915-1 on Windows XP Pro, Service Pack 3.
Lavasoft Ad-Aware is usually running in the background, and I manually scan with MBAM and SuperAntiSpyware once or twice a week.
The first sign of a problem occurred on Sept. 14th, when clicking links on Google search results would re-direct the browser to other websites (ad sites, gaming sites, etc).
Scanning with MBAM and SuperAntiSpyware didn't show any results then (all clean), but Avast reported a Win32:DNSChanger-VJ[Trj] in Process "svchost.exe" with no options other than the "move to chest" on the "apply to all" window, but the "Apply" button seemed disabled.
I rebooted, hoping to re-scan and perhaps fix the issue, but received a BSOD (0x0000007B) on both normal, last known good configuration, and safe mode boot attempts. Booting from an Ultimate Boot CD for Windows, showed that the C: drive letter had been changed to D:, and my secondary (storage only) hard drive was now marked as drive C:
Removing the secondary hard drive restored the correct drive letter C: to the system disc, and fixed the BSOD issue at least long enough to update all virus definition databases.
I started to re-scan, but then got hit with the "Anti-Virus 2010" pop-up, so I immediately terminated my Internet connection and set to remove all traces of the "Anti-Virus 2010".
A full MBAM scan (log available if necessary) found, quarantined and removed "C:\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus2010)", and there was no problem with rebooting.
Then I ran a full scan with Avast, and this time I received two (2) reports of the
"Win32:DNSChanger-VJ[Trj]"
The first one in Process 1088 [svchost.exe], and a second one in Process 1576 [explorer.exe] BOTH reported in memory block 0x00000000001A0000, block size 81920, Severity: High and again no way to delete, repair, move, etc.
I followed the instructions of essexboy here
http://forum.avast.com/index.php?topic=53253.msg451454#msg451454yesterday (15 September), and the MBAM Quick Scan showed the SAME "C:\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus2010)" infection that was previously
supposed to have been deleted under the full scan. I chose "delete" once more, but this time rebooting resulted in the BSOD once again, with the exception however, that the drive letter had NOT changed, and a second re-boot was normal this time.
On start-up this morning (16 September), the computer booted normal, and I was able to get online and update all the virus databases (MBAM, SAS, Ad-Aware and Avast) to their newest version.
MBAM, SAS, and Ad-Aware scans all came back clean, but Avast scans are still reporting the SAME TWO (2) "Win32:DNSChanger-VJ[Trj]" infections in PROCESS "svchost.exe" AND "explorer.exe", in the SAME memory blocks (0x0000000001A0000 block size 81920 for both), and the only thing that has changed are the reported Process numbers which are now "Process 1168 [svchost.exe]" (previously Process 1088), and "Process 1632 [explorer.exe]" (previously Process 1576).
I also ran another OTL scan today, but just as yesterday it created ONLY the "OTL.Txt" file and NO "Extras.Txt"
I'm once again attaching the OTL.Txt and today's MBAM scan log here, hoping that someone may be able to give me some help or advice on how to get rid of the Process threats reported by Avast (I really don't think they are false positives, considering the original problem of browser re-directs still exists).
Any kind of help or advice (short of reformatting and re-installing Windows) would be greatly appreciated.
