|
Posted by RJK on June 27, 2008, 5:30 pm
If you were Registered and logged in, you could reply and use other advanced thread options
...whilst in the middle of writing my Aunty an email, Windows Defender
decided to fire up and do a sweep,
and as soon as it started up, up popped AVG 8.0 "Threat Detected,"
...false positive ?
...should I upload C:\Windows\system32\PCANDIS5.SYS to Virus Total ?
AVG 8.0 has never complained about this file before now !
regards, Richard
|
|
Posted by RJK on June 27, 2008, 6:32 pm
If you were Registered and logged in, you could reply and use other advanced thread options
http://www.virustotal.com/analisis/c9bf961208494c862601d8a7f5c93a64
mmm ?
..what to do ?
> ...whilst in the middle of writing my Aunty an email, Windows Defender
> decided to fire up and do a sweep,
> and as soon as it started up, up popped AVG 8.0 "Threat Detected,"
>
> ...false positive ?
> ...should I upload C:\Windows\system32\PCANDIS5.SYS to Virus Total ?
> AVG 8.0 has never complained about this file before now !
>
> regards, Richard
>
|
|
Posted by David H. Lipman on June 27, 2008, 7:10 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| http://www.virustotal.com/analisis/c9bf961208494c862601d8a7f5c93a64
| mmm ?
| ..what to do ?
CAT-QuickHeal 9.50 2008.06.26 Trojan.DNSChanger.ewf
Assuming the above...
In a Command Prompt type; IPCONFIG /ALL
Copy and paste your DNS Servers.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
|
|
Posted by RJK on June 27, 2008, 8:02 pm
If you were Registered and logged in, you could reply and use other advanced thread options
...how on earth does one copy and paste from a CMD box ?!
...back to DOS ! ....
IPCONFIG /ALL > c:\ipconfig.txt
Windows IP Configuration
Host Name . . . . . . . . . . . . : presler
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast
Ethernet NIC
Physical Address. . . . . . . . . : 00-13-8F-DE-A1-85
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.55
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
Lease Obtained. . . . . . . . . . : 27 June 2008 23:56:08
Lease Expires . . . . . . . . . . : 28 June 2008 23:56:08
...moan.... ....quick rummage in the router :-
WAN IP address : 84.71.149.185
Gateway : 62.25.195.21
Primary DNS server : 195.92.195.94
Secondary DNS server : 195.92.195.95
...anyhooo, I've been googling on the file PCANDIS5.SYS for ages ...and
I've never read such a load of rubbish in my life.
...can't get a grip on what the darned file is for, where it came from
...and if I even need it ? !!!
http://www.file.net/process/pcandis5.sys.html
File name: Pcandis5.sys
Product name: PCAUSA Rawether for Windows
Description: PCAUSA NDIS 5.0 Protocol Driver
Company: Printing Communications Assoc., Inc. (PCAUSA)
....I don't think I've got anything that came from them. !!!
...AVG 8.0 which has been running a scan has just decided to destroy
another copy of it in a restore point !!
regards, Richard
>
> | http://www.virustotal.com/analisis/c9bf961208494c862601d8a7f5c93a64
> | mmm ?
> | ..what to do ?
>
> CAT-QuickHeal 9.50 2008.06.26 Trojan.DNSChanger.ewf
>
> Assuming the above...
>
> In a Command Prompt type; IPCONFIG /ALL
>
> Copy and paste your DNS Servers.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
|
|
Posted by David H. Lipman on June 27, 2008, 9:46 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| Hi,
| ...how on earth does one copy and paste from a CMD box ?!
| ...back to DOS ! ....
| IPCONFIG /ALL > c:\ipconfig.txt
| Windows IP Configuration
| Host Name . . . . . . . . . . . . : presler
| Primary Dns Suffix . . . . . . . :
| Node Type . . . . . . . . . . . . : Unknown
| IP Routing Enabled. . . . . . . . : No
| WINS Proxy Enabled. . . . . . . . : No
| Ethernet adapter Local Area Connection:
| Connection-specific DNS Suffix . :
| Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast
| Ethernet NIC
| Physical Address. . . . . . . . . : 00-13-8F-DE-A1-85
| Dhcp Enabled. . . . . . . . . . . : Yes
| Autoconfiguration Enabled . . . . : Yes
| IP Address. . . . . . . . . . . . : 192.168.1.55
| Subnet Mask . . . . . . . . . . . : 255.255.255.0
| Default Gateway . . . . . . . . . : 192.168.1.1
| DHCP Server . . . . . . . . . . . : 192.168.1.1
| DNS Servers . . . . . . . . . . . : 192.168.1.1
| Lease Obtained. . . . . . . . . . : 27 June 2008 23:56:08
| Lease Expires . . . . . . . . . . : 28 June 2008 23:56:08
| ...moan.... ....quick rummage in the router :-
| WAN IP address : 84.71.149.185
| Gateway : 62.25.195.21
| Primary DNS server : 195.92.195.94
| Secondary DNS server : 195.92.195.95
| ...anyhooo, I've been googling on the file PCANDIS5.SYS for ages ...and
| I've never read such a load of rubbish in my life.
| ...can't get a grip on what the darned file is for, where it came from
| ...and if I even need it ? !!!
| http://www.file.net/process/pcandis5.sys.html
| File name: Pcandis5.sys
| Product name: PCAUSA Rawether for Windows
| Description: PCAUSA NDIS 5.0 Protocol Driver
| Company: Printing Communications Assoc., Inc. (PCAUSA)
| ....I don't think I've got anything that came from them. !!!
| ...AVG 8.0 which has been running a scan has just decided to destroy
| another copy of it in a restore point !!
| regards, Richard
Based upon your reply, your DNS servers haven't been altered to something like
85.255.x.y
which is a sign of a DNSChanger Trojan. Your Router get the DNS Servers from
the ISP and
you get the DNS Service via the Router.
However, %windir%\system32\PCANDIS5.SYS is too legitimate. *.SYS files,
drivers, belong
in; %windir%\system32\drivers
If you'd like, you can email me a sample and I will have my "peers" check out
the file.
In the meantime, search the Registry for; PCANDIS5.SYS and see if it is being
loaded and
from where and post back the results.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
|
| Similar Threads | Posted | | Trojan Horse | June 28, 2005, 11:58 pm |
| Trojan Horse (New?) | July 17, 2005, 12:45 pm |
| Trojan Horse | September 20, 2005, 6:15 pm |
| Trojan horse | October 8, 2005, 2:29 am |
| Trojan Horse | January 8, 2006, 11:06 am |
| Bla trojan horse??? | February 9, 2006, 4:06 pm |
| Trojan Horse - HELP! | July 20, 2007, 1:49 pm |
| Help! Trojan Horse Virus | July 20, 2005, 7:22 pm |
| Trojan Horse - popinstlite.exe | September 14, 2005, 1:33 pm |
| Trojan horse TR/SPY Tofger.AT.07 | December 20, 2005, 9:41 pm |
|
XML site map