Trojan.DNSChanger Closed

Question

Hello,  
I have 2 trojans that show up in malwarebytes anti virus. 
They always come back! 
I am including the log, because maybe someone can tell me what files to delete? 
Maybe how to do it? 
I think this is done by opening the file locations, but I am not sure.  
Can I just delete everything in the HKEY files, no matter if they're important, and just use my factory restoration discs after? 

It seems this virus is the one that affects system restore. 

Any help would be great. 

Thank you so much. :) 

Malwarebytes' Anti-Malware 1.46 
www.malwarebytes.org 

Database version: 4144 

Windows 6.0.6001 Service Pack 1 
Internet Explorer 7.0.6001.18000 

6/19/2010 11:31:04 AM 
mbam-log-2010-06-19 (11-31-04).txt 

Scan type: Quick scan 
Objects scanned: 118494 
Time elapsed: 4 minute(s), 5 second(s) 

Memory Processes Infected: 0 
Memory Modules Infected: 0 
Registry Keys Infected: 0 
Registry Values Infected: 0 
Registry Data Items Infected: 2 
Folders Infected: 0 
Files Infected: 0 

Memory Processes Infected: 
(No malicious items detected) 

Memory Modules Infected: 
(No malicious items detected) 

Registry Keys Infected: 
(No malicious items detected) 

Registry Values Infected: 
(No malicious items detected) 

Registry Data Items Infected: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 1.2.3.4 -> Quarantined and deleted successfully. 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{51709eae-e265-4976-bc1e-49af72092247}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 1.2.3.4 -> Quarantined and deleted successfully. 

Folders Infected: 
(No malicious items detected) 

Files Infected: 
(No malicious items detected) 




Configuration: Windows Vista / Safari 533.4

jack4rall · Answer

try this 1  

Perform full scan in malware's antimalware software.


download GMER - Rootkit Detector and Remover, just click on this link  

http://www2.gmer.net/gmer.zip  

Perform the scan and then manually kill process and delete the rootkit.

hellokitty713 · Answer

Would you mind explaining to me how to do this?

Thank you.

Ambucias · Answer

Hello Kitty,

It seems that your message was not received by Jack4All.

I have an alternative to your problem which may prove to be simple, but I really do need to identify any suspicious items in your processes and registry.

To fix the problem, I must have a Hyjacthis log.

http://free.antivirus.com/hijackthis/

Please download, install and request a scan and save a log.  Copy the log and post it here.

Catch you later

Regards

jack4rall · Answer

Hi kitty,    

Sorry for the late reply.    

GMER - Rootkit Detector and Remover is an application that finds the hidden rootkits.-->just extract that file--->double click to open the application -->click on scan. If you find any hidden process manually kill process and delete the rootkit.    

or    

You  can try this solution, just follow all the 4 steps.  

Step 1:  

i)   Click on start--->Run-->type devmgmt.msc and click on ok--->  

       device   manager  will be opened    

ii)   Then click on the view tab--->select Show Hidden Drivers    

        Scroll down to non Plug and Play drivers--->Click + at left.    

iii) Search these drivers with named TDSSserv.sys or TDSSxyz.sys where xyz   

are random characters, msqpdxserv.sys, seneka or seneka.sys---> right click   

on it and disable it--->click on yes to confirm it.    

Note : If the drivers are not listed in the device manager, then still continue   
            with step2.  

Then restart your computer    

Step 2:  

i) Download Avenger file, just click on this link    
http://www.geekstogo.com/forum/files/file/393-the-avenger-by-swandog46/    

Extract that file--->just double click on it --> click on yes.-->The Avenger opens.    

ii) Just copy and paste this script starting from "drivers to delete" which ends at "C:\resycled" in the input script section.    

Drivers to delete:    
TDSSserv.sys    
msqpdxserv.sys    
gaopdxserv.sys    
gxvxcserv.sys    
seneka    
seneka.sys    
ndisprot.sys    
UACd.sys    
MSIVXserv.sys    
ESQULserv.sys    

Files to delete:    
C:\Windows\system32\wdmaud.sys    
C:\resycled\bootmatrix.com    

Folders to delete:    
C:\resycled    

iii)Then check the checkbox  "Automatically disable any rootkits found".  

            Click on "Execute"-->Click on Yes.    

When it asks you Reboot now?.--->click on Yes    


Step 3:  

i)Then update your Malware's Anti-Malware and run "Full Scan". ( default is quick scan)    

                       Then remove it and restart it.    

Step 4:  

i)Click on start-->type ncpa.cpl and click on OK. Network Connections window   

     will be opened.    

ii) Then right click on your local area connection -->click on properties---->then   

scroll down and double click on Internet Protocol [TCP/IP]---->click on   

"Properties" button-->then Internet Protocol [TCP/IP] properties window will   

be opened---> there make sure "Obtain DNS Server address automatically" is   

selected.    


iii)  Then Click on start --->run--->type cmd -->click on OK--->command prompt  

        will be opened-->then type this command    

ipconfig /flushdns  ----->press enter.    

restart your PC now.    

If the problem still exists,  follow Ambucias steps and paste the hijackthis log here.

hellokitty713 · Answer

Avenger doesnt work, I think, it just opens a pic, that says it cant be displayed...

Sorry if Im doing something wrong, :(

josh · Answer

the best & only way I have found is to reinstall the router.  despite what all others suggest -- i've tried them all. was very successful w/ reintstalling the router.

Cheers,
Josh

Trojan.DNSChanger

6 responses

Subscribe To Our Newsletter!