Jump to content

Trojan.DNSchanger Not being removed

Esheffer

By Esheffer
in Resolved Malware Removal Logs

 Share

Recommended Posts

Esheffer

Esheffer

Posted
Posted

Hi, on my computer I have tried using custom scans on Malwarebytes to delete this trojan, but it still hasn't been removed. The Logs say this specifically: 

Registry Data: 5
Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer, 168.28.176.11 168.28.176.253 198.72.72.10, Good: (), Bad: (168.28.176.11),,[0146874058234ee8a94fcb11a55fbe42]
Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer, 168.28.176.11 168.28.176.253 198.72.72.10, Good: (), Bad: (168.28.176.253),,[0e39c7003546a096bd3b6379a75d07f9]
Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{770D8A2E-7E3C-45B5-8C5C-610246E44892}|DhcpNameServer, 168.28.176.11 168.28.176.253 198.72.72.10, Good: (), Bad: (168.28.176.11),,[2c1b10b766154bebe71123b90afab34d]
Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{770D8A2E-7E3C-45B5-8C5C-610246E44892}|DhcpNameServer, 168.28.176.11 168.28.176.253 198.72.72.10, Good: (), Bad: (168.28.176.253),,[4601d3f4700b979fb147c01cc440e020]
Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{A08CD2E7-3713-422E-86C5-5051197859C8}|DhcpNameServer, 168.28.176.11  198.72.72.10, Good: (), Bad: (168.28.176.11 198.72.72.10),,[dd6a289f5c1ffc3a13e54597ab59e11f]
 
I followed a post on the forums here from someone with a similar issue and ran the Farbar Recovery Scan Tool, and I have attached the files below.  If anyone can please help me,I really need to get this stupid thing off my computer!

virus custom scan.txt

Addition.txt

FRST.txt

Link to post
Share on other sites
TwinHeadedEagle

TwinHeadedEagle

Posted
Posted

Hello,
    
 
They call me TwinHeadedEagle around here, and I'll be working with you.
 
    
 
    
Before we start please read and note the following:

  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

:excl: I can't foresee everything, so if anything unexpected happens, please stop and inform me!
:excl: There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
  warning.gif Rules and policies
 
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
 
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 
 
 
 

FRST.gif Fix with Farbar Recovery Scan Tool
 


icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

fixlist.txt

Link to post
Share on other sites
Esheffer

Esheffer

Posted
  • Author
Posted

I just ran the fix, and it required me to reboot which took longer than I expected but oh well.  Here are the results:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-08-2014
Ran by User at 2014-08-22 07:41:39 Run:1
Running from C:\Users\User\Downloads
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
Tcpip\Parameters: [DhcpNameServer] 168.28.176.11 168.28.176.253 198.72.72.10
emptytemp:
cmd: ipconfig /flushdns
*****************
 
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer => value deleted successfully.
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
EmptyTemp: => Removed 511.1 MB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog ====
Link to post
Share on other sites
Esheffer

Esheffer

Posted
  • Author
Posted

I did, and its still there. Granted its back to the one item, but it is still detecting it to be there. Heres a copy of the log I saved:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 8/22/2014
Scan Time: 9:47:14 AM
Logfile: Stillmorevirus.txt
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.08.22.05
Rootkit Database: v2014.08.21.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: User
 
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 489001
Time Elapsed: 32 min, 3 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 1
Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{A08CD2E7-3713-422E-86C5-5051197859C8}|DhcpNameServer, 168.28.176.11  198.72.72.10, Good: (), Bad: (168.28.176.11 198.72.72.10),,[98015e6b057684b219445688d034a060]
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites
TwinHeadedEagle

TwinHeadedEagle

Posted
Posted

Let's run one more fix:
 
 
 
 
 FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

fixlist.txt

Link to post
Share on other sites
Esheffer

Esheffer

Posted
  • Author
Posted

Okay, I redownloaded the attached file and used it, and here was the result:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 22-08-2014
Ran by User at 2014-08-23 02:09:14 Run:2
Running from C:\Users\User\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
cmd: ipconfig /all
*****************
 
 
=========  ipconfig /all =========
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : MSI
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Ethernet adapter Ethernet:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : spsu.edu
   Description . . . . . . . . . . . : Killer e2200 Gigabit Ethernet Controller (NDIS 6.30)
   Physical Address. . . . . . . . . : 44-8A-5B-46-B3-F3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Local Area Connection* 3:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 80-00-0B-07-75-A7
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter Bluetooth Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 80-00-0B-07-75-AA
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Wi-Fi:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel® Centrino® Advanced-N 6235
   Physical Address. . . . . . . . . : 80-00-0B-07-75-A6
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:0:b800:665:249e:d97a:6a8e:5915(Preferred) 
   Temporary IPv6 Address. . . . . . : 2601:0:b800:665:1df5:f705:6f94:1ac0(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::249e:d97a:6a8e:5915%3(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.6(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, August 23, 2014 1:56:32 AM
   Lease Expires . . . . . . . . . . : Sunday, August 24, 2014 2:04:19 AM
   Default Gateway . . . . . . . . . : fe80::21d:d4ff:fe22:9771%3
                                       fe80::c23f:eff:fedc:6cec%3
                                       192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 58720267
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-75-0F-BB-80-00-0B-07-75-A6
   DNS Servers . . . . . . . . . . . : fe80::c23f:eff:fedc:6cec%3
                                       192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.{770D8A2E-7E3C-45B5-8C5C-610246E44892}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:3c21:259c:b39e:18d1(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::3c21:259c:b39e:18d1%8(Preferred) 
   Default Gateway . . . . . . . . . : 
   DHCPv6 IAID . . . . . . . . . . . : 285212672
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-75-0F-BB-80-00-0B-07-75-A6
   NetBIOS over Tcpip. . . . . . . . : Disabled
 
========= End of CMD: =========
 
 
==== End of Fixlog ====
Link to post
Share on other sites
TwinHeadedEagle

TwinHeadedEagle

Posted
Posted

Your DNS is ok. I do not know why MalwareBytes keeps finding these entries? Do you have any issues?
 
 
Let's make one more scan:
 
 
 
Download TDSSKiller  and save it to your desktop
 
  Execute TDSSKiller.exe by doubleclicking on it.
Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.

  •  Press Start Scan
  •  If Suspicious object is detected, the default action will be Skip, click on Continue.
  •  If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
 
 
Please post the contents of that log in your next reply.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.