Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.DNSChanger


  • This topic is locked This topic is locked
5 replies to this topic

#1 amerikanzero

amerikanzero

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 12 January 2011 - 08:33 PM

Trojan.DNSChanger VIRUS.... I picked up this bug several weeks ago and it has been the bane of my existence ever since. I have gone as far as to wipe my entire hard drive and reinstall everything. I have tried several different types of malware "seekers and destroyers", everything from TDSS Killer to GMER to Malwarebytes... so far the only thing that seems to have worked at all is Malwarebytes.

When I scan with Malwarebytes it finds the Trojan virus hiding in my registries... it gives me the option to delete them but every time it says that they have been deleted... behold! They are not. I scan again and they are still there. Here is what the log file says upon "deletion"..

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

1/9/2011 10:47:20 AM
mbam-log-2011-01-09 (10-47-20).txt

Scan type: Full scan (C:\|)
Objects scanned: 171579
Time elapsed: 10 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr… (Trojan.DNSChanger) -> Bad: (93.188.166.105) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr… (Trojan.DNSChanger) -> Bad: (93.188.161.105) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr… (Trojan.DNSChanger) -> Bad: (93.188.166.105) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr… (Trojan.DNSChanger) -> Bad: (93.188.161.105) Good: () -> Quarantined and deleted successfully.


Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


As you can clearly see it says that they are gone.

My question is, what the heck can I do to get rid of them? Can I manually delete the infected registry items or is there another program that will nuke them?

If you are not familiar with this virus, let me tell you.. it sucks. It redirects you to BS pages, will not let you update anti-virus or anti-spy, cannot update windows, cannot do any research on how to get rid of it since any attempt to visit a sight pertaining to spyware, rootkits, or viruses and how to get rid of them is futile and is blocked or redirected...

Please help before I throw my pc out the window and buy a mac!

I also want to add that someone mentioned that it may be my router that is infecting me network. My wife and I are on the same network and she hasn't had any problems.


DDS (Ver_10-12-12.02) - NTFSx86
Run by Killer B! at 7:50:23.91 on Tue 01/11/2011
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.997 [GMT -6:00]

AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\BitTorrent\BitTorrent.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Killer B!\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [BitTorrent] "c:\program files\bittorrent\BitTorrent.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\killer~1\appdata\roaming\mozilla\firefox\profiles\2uq74md3.default\
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Gmail Manager: {582195F5-92E7-40a0-A127-DB71295901D7} - %profile%\extensions\{582195F5-92E7-40a0-A127-DB71295901D7}
FF - Ext: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - %profile%\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-10 165584]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2011-1-8 73728]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-10 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-1-10 50768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-10 40384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-8 363344]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-10 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-10 40384]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2011-1-8 111616]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-8 20952]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-10 136176]

=============== Created Last 30 ================

2011-01-11 00:47:12 -------- d-----w- c:\users\killer~1\appdata\local\Mozilla
2011-01-11 00:47:03 553696 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2011-01-11 00:47:01 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2011-01-11 00:47:01 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2011-01-11 00:47:00 66520 ----a-w- c:\program files\mozilla firefox\plugins\npnul32.dll
2011-01-10 23:42:05 -------- d-----w- c:\program files\BitTorrent
2011-01-10 23:41:35 -------- d-----w- c:\users\killer~1\appdata\roaming\BitTorrent
2011-01-10 23:27:30 -------- d-----w- c:\users\killer~1\appdata\local\Google
2011-01-10 23:27:29 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-01-10 23:27:12 38848 ----a-w- c:\windows\avastSS.scr
2011-01-10 23:26:59 -------- d-----w- c:\progra~2\Alwil Software
2011-01-10 23:14:53 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-01-10 23:14:53 -------- d-----w- c:\program files\SpywareBlaster
2011-01-09 05:28:46 -------- d-----w- c:\windows\Panther
2011-01-09 05:28:30 -------- d-sh--w- C:\Boot
2011-01-09 05:28:10 -------- d-----w- c:\windows\system32\OEM
2011-01-09 04:20:33 -------- d-----w- c:\progra~2\MFAData
2011-01-09 04:19:22 -------- d-----w- c:\users\killer~1\appdata\roaming\Malwarebytes
2011-01-09 04:19:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-09 04:19:02 -------- d-----w- c:\progra~2\Malwarebytes
2011-01-09 04:18:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-09 04:18:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-09 04:07:31 -------- d-----w- c:\windows\system32\ENU
2011-01-09 04:07:30 936472 ----a-w- c:\windows\system32\imsmudlg.exe
2011-01-09 04:07:30 319456 ----a-w- c:\windows\system32\difxapi.dll
2011-01-09 04:07:30 -------- d-----w- c:\windows\system32\Lang
2011-01-09 04:07:03 277784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2011-01-09 04:04:40 90112 ----a-w- c:\windows\system32\snymsico.dll
2011-01-09 04:02:45 -------- d-----w- C:\Intel
2011-01-09 04:01:15 -------- d-----w- c:\program files\Marvell
2011-01-09 04:00:45 -------- d-----w- c:\users\killer~1\appdata\roaming\TMP
2011-01-09 03:55:21 -------- d-----w- c:\program files\Cisco
2011-01-09 03:53:59 -------- d-----w- C:\dell
2011-01-09 03:40:59 45056 ----a-r- c:\users\killer~1\appdata\roaming\microsoft\installer\{42929f0f-ce14-47af-9fc7-ff297a603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2011-01-09 03:40:55 -------- d-----w- c:\windows\system32\vmm32
2011-01-09 03:40:55 -------- d-----w- c:\program files\Dell
2011-01-09 03:40:35 -------- d-sh--w- c:\windows\Installer

==================== Find3M ====================


============= FINISH: 7:51:13.24 ===============

Attached Files


Edited by amerikanzero, 12 January 2011 - 08:57 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:45 PM

Posted 12 January 2011 - 08:53 PM

Hello amerikanzero ,

Posted Image

Yes, these things are annoying as all get out. <_< Let's do a couple of things to be sure what it is and we'll fix it. :thumbup2:

Do you use a router? If so, totally disconnect it from both computer and wall power source, reset it to factory, then put a password on it. Reconnect and see if you're still redirected. If you are, then do this:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to amerikanzero.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 amerikanzero

amerikanzero
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 12 January 2011 - 09:42 PM

Hello amerikanzero ,

Posted Image

Yes, these things are annoying as all get out. <_< Let's do a couple of things to be sure what it is and we'll fix it. :thumbup2:

Do you use a router? If so, totally disconnect it from both computer and wall power source, reset it to factory, then put a password on it. Reconnect and see if you're still redirected. If you are, then do this:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to amerikanzero.exe and try again.

Thanks,
tea

Thanks, I will give this a try.

#4 amerikanzero

amerikanzero
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 15 January 2011 - 12:14 PM


Hello amerikanzero ,

Posted Image

Yes, these things are annoying as all get out. <_< Let's do a couple of things to be sure what it is and we'll fix it. :thumbup2:

Do you use a router? If so, totally disconnect it from both computer and wall power source, reset it to factory, then put a password on it. Reconnect and see if you're still redirected. If you are, then do this:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to amerikanzero.exe and try again.

Thanks,
tea

Thanks, I will give this a try.

I am sorry, but exactly how do I password protect my router? Sorry, but I am a little uneducated with this sort of thing.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:45 PM

Posted 15 January 2011 - 01:38 PM

Tell you what.....go ahead and run ComboFix first, and post the report. If that doesn't get it, then I'll help you through checking the router. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:45 PM

Posted 12 February 2011 - 02:54 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users