Trojan.DNSChanger

Closed
hellokitty713 Posts 1 Registration date Saturday June 19, 2010 Status Member Last seen June 19, 2010 - Jun 19, 2010 at 01:36 PM
 Gervarod - Jul 2, 2010 at 02:43 AM
Hello,
I have 2 trojans that show up in malwarebytes anti virus.
They always come back!
I am including the log, because maybe someone can tell me what files to delete?
Maybe how to do it?
I think this is done by opening the file locations, but I am not sure.
Can I just delete everything in the HKEY files, no matter if they're important, and just use my factory restoration discs after?

It seems this virus is the one that affects system restore.

Any help would be great.

Thank you so much. :)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4144

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

6/19/2010 11:31:04 AM
mbam-log-2010-06-19 (11-31-04).txt

Scan type: Quick scan
Objects scanned: 118494
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{51709eae-e265-4976-bc1e-49af72092247}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




6 responses

jack4rall Posts 6428 Registration date Sunday June 6, 2010 Status Moderator Last seen July 16, 2020
Jun 19, 2010 at 11:47 PM
try this 1

Perform full scan in malware's antimalware software.


download GMER - Rootkit Detector and Remover, just click on this link

http://www2.gmer.net/gmer.zip

Perform the scan and then manually kill process and delete the rootkit.
0
hellokitty713
Jun 21, 2010 at 07:14 PM
Would you mind explaining to me how to do this?

Thank you.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Jun 22, 2010 at 04:41 PM
Hello Kitty,

It seems that your message was not received by Jack4All.

I have an alternative to your problem which may prove to be simple, but I really do need to identify any suspicious items in your processes and registry.

To fix the problem, I must have a Hyjacthis log.

http://free.antivirus.com/hijackthis/

Please download, install and request a scan and save a log. Copy the log and post it here.

Catch you later

Regards
0
jack4rall Posts 6428 Registration date Sunday June 6, 2010 Status Moderator Last seen July 16, 2020
Jun 23, 2010 at 06:27 AM
Hi kitty,

Sorry for the late reply.

GMER - Rootkit Detector and Remover is an application that finds the hidden rootkits.-->just extract that file--->double click to open the application -->click on scan. If you find any hidden process manually kill process and delete the rootkit.

or

You can try this solution, just follow all the 4 steps.

Step 1:

i) Click on start--->Run-->type devmgmt.msc and click on ok--->

device manager will be opened

ii) Then click on the view tab--->select Show Hidden Drivers

Scroll down to non Plug and Play drivers--->Click + at left.

iii) Search these drivers with named TDSSserv.sys or TDSSxyz.sys where xyz

are random characters, msqpdxserv.sys, seneka or seneka.sys---> right click

on it and disable it--->click on yes to confirm it.

Note : If the drivers are not listed in the device manager, then still continue
with step2.

Then restart your computer

Step 2:

i) Download Avenger file, just click on this link
http://www.geekstogo.com/forum/files/file/393-the-avenger-by-swandog46/

Extract that file--->just double click on it --> click on yes.-->The Avenger opens.

ii) Just copy and paste this script starting from "drivers to delete" which ends at "C:\resycled" in the input script section.

Drivers to delete:
TDSSserv.sys
msqpdxserv.sys
gaopdxserv.sys
gxvxcserv.sys
seneka
seneka.sys
ndisprot.sys
UACd.sys
MSIVXserv.sys
ESQULserv.sys

Files to delete:
C:\Windows\system32\wdmaud.sys
C:\resycled\bootmatrix.com

Folders to delete:
C:\resycled

iii)Then check the checkbox "Automatically disable any rootkits found".

Click on "Execute"-->Click on Yes.

When it asks you Reboot now?.--->click on Yes


Step 3:

i)Then update your Malware's Anti-Malware and run "Full Scan". ( default is quick scan)

Then remove it and restart it.

Step 4:

i)Click on start-->type ncpa.cpl and click on OK. Network Connections window

will be opened.

ii) Then right click on your local area connection -->click on properties---->then

scroll down and double click on Internet Protocol [TCP/IP]---->click on

"Properties" button-->then Internet Protocol [TCP/IP] properties window will

be opened---> there make sure "Obtain DNS Server address automatically" is

selected.


iii) Then Click on start --->run--->type cmd -->click on OK--->command prompt

will be opened-->then type this command

ipconfig /flushdns ----->press enter.

restart your PC now.

If the problem still exists, follow Ambucias steps and paste the hijackthis log here.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Jun 23, 2010 at 07:12 AM
Hello Jack,

I am impressed! That is what is called cybernetic gymnastics.
0
jack4rall Posts 6428 Registration date Sunday June 6, 2010 Status Moderator Last seen July 16, 2020
Jun 24, 2010 at 07:16 AM
hello Ambucias,

I am trying my best.
0
wouldn't that take to long and mucking around for her if she want's to remove it faster?
0

Didn't find the answer you are looking for?

Ask a question
hellokitty713
Jun 23, 2010 at 04:54 PM
Avenger doesnt work, I think, it just opens a pic, that says it cant be displayed...

Sorry if Im doing something wrong, :(
0
jack4rall Posts 6428 Registration date Sunday June 6, 2010 Status Moderator Last seen July 16, 2020
Jun 24, 2010 at 07:17 AM
hi Kitty,

Try to download the avenger from this link.

http://swandog46.geekstogo.com/avenger2/avenger2.html

Click on download ( you can find it at left side)
0
such as using SmitfraudFix which might remove it faster for her.

https://www.bleepingcomputer.com/virus-removal/how-to-use-smitfraudfix
which does remove DNS changers
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Jun 27, 2010 at 04:22 PM
Hello Gervarod,

I had forgotten about smitfraudfix. Good idea! I am proud of you!
0
the best & only way I have found is to reinstall the router. despite what all others suggest -- i've tried them all. was very successful w/ reintstalling the router.

Cheers,
Josh
0
well if you put your computer in safe mode then run https://www.bleepingcomputer.com/virus-removal/how-to-use-smitfraudfix then it should remove the TrojanDNS changer
0