Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan dns changer


  • Please log in to reply
4 replies to this topic

#1 cg5

cg5

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 22 April 2009 - 09:44 AM

hi everyone,first of all i would like to mention i am no pro and i need easy explainations if possible,i may not understand some terms,that pros do.


I was infected with a trojan dns changer,it blocks internet explorer(but not mozzillafox)and changes my url adress somtimes and brings me to a bogus antivirus sites,i cant check my e mails and cant use anti spy wares and antiviruus tools.now i was able to use malewarebytes by changing its name.Scanned several times and foud at least 12 trojan dns changer,but everytime i scan there is always an other one.im am so sick of this sh**,please help


thankyou :thumbsup:


window xp proffesional

Edited by cg5, 22 April 2009 - 10:35 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:12 PM

Posted 22 April 2009 - 10:52 AM

Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs


Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply.

-- If you cannot use the Internet or download any programs, try downloading from another computer (family member, friend, etc). Save to a flash (usb, pen, thumb, jump) drive or CD, transfer to the infected machine, then install and run the program.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 cg5

cg5
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 22 April 2009 - 11:26 AM

here is my first malware scan

Malwarebytes' Anti-Malware 1.36
Version de la base de données: 1945
Windows 5.1.2600 Service Pack 2

2009-04-21 15:52:42
mbam-log-2009-04-21 (15-52-42).txt

Type de recherche: Examen complet (C:\|D:\|)
Eléments examinés: 125587
Temps écoulé: 22 minute(s), 52 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 6
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 5

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.62,85.255.112.231 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{62043d65-cfa6-4271-9f16-97fe486c7dc5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.62,85.255.112.231 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.62,85.255.112.231 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{62043d65-cfa6-4271-9f16-97fe486c7dc5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.62,85.255.112.231 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.216,85.255.112.135 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{62043d65-cfa6-4271-9f16-97fe486c7dc5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.216,85.255.112.135 -> Quarantined and deleted successfully.

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
D:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
D:\RECYCLER\S-6-7-71-100025562-100019707-100027157-8765.com (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\Temp\tempo-328375.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
D:\WINDOWS\Temp\tempo-751937.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
D:\WINDOWS\Temp\tempo-830437.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.




and all other scans now give this:


Malwarebytes' Anti-Malware 1.36
Version de la base de données: 2024
Windows 5.1.2600 Service Pack 2

2009-04-22 11:36:21
mbam-log-2009-04-22 (11-36-21).txt

Type de recherche: Examen rapide
Eléments examinés: 87018
Temps écoulé: 7 minute(s), 26 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 1

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
D:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.



now i will try the other scan and i ll be back
thanks for the help :thumbsup:

#4 cg5

cg5
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 22 April 2009 - 03:51 PM

hi now here is my doctor web scan...please help...it took out a couple but im sure there are still viruses on my pc

autorun.inf;c:;Probablement Win32.HLLW.Autoruner.corrupted;Quarantaine.;
gxvxcqgutpqlruxdlmpyvogogjikfloympslk.sys;d:\windows\system32\drivers;BackDoor.Tdss.115;Irréparable.Quarantaine.;
John Lee Hooker - I love to Boogie.mp3;D:\Documents and Settings\carl\Bureau\Ma musique\attente pour etre classé;Trojan.WMALoader;Désinfecté.;
T-3410514-croum it clover - greatest hits.mp3;D:\Documents and Settings\carl\Bureau\Ma musique\Incomplete;Trojan.WMALoader;Désinfecté.;
A0001732.reg;D:\System Volume Information\_restore{4C8CDB12-A273-4C43-A0B2-447C33202FFA}\RP38;Trojan.StartPage.1505;Supprimé.;
gxvxcsxourkrarxrtkbjddjboevdlvcjafmpj.dll;D:\WINDOWS\system32;Trojan.Click.25750;Supprimé.;
gxvxcfjonpxuoibavnpqfqsiwqixcorfpyycw.sys;D:\WINDOWS\system32\drivers;BackDoor.Tdss.115;Irréparable.Quarantaine.;
gxvxcmpfvkboeuwsfvpabqxuxnsdpcetlemov.sys;D:\WINDOWS\system32\drivers;BackDoor.Tdss.115;Irréparable.Quarantaine.;
gxvxcovmkhortjkndjnoewswuxduybfwxtgir.sys;D:\WINDOWS\system32\drivers;BackDoor.Tdss.115;Irréparable.Quarantaine.;
326875.tmp;D:\WINDOWS\Temp;Trojan.Packed.365;Supprimé.;
750406.tmp;D:\WINDOWS\Temp;Trojan.Packed.365;Supprimé.;
828796.tmp;D:\WINDOWS\Temp;Trojan.Packed.365;Supprimé.;



thanks for the help :thumbsup:

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:12 PM

Posted 23 April 2009 - 09:14 AM

Now rescan again with Malwarebytes Anti-Malware but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
alternate download link

Then download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you cannot boot into safe mode, then perform your scans in normal mode.

IMPORTANT NOTE: One or more of the identified infections (gxvxccounter) was related a backdoor Trojan which is a nasty variant of the TDSSSERV rootkit. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users