Esheffer

Ah, thank you, here it is: HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{03B6DC0C-C52A-4E2A-AD15-E7395FAF41A2}HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{2BF6E62E-1B09-4370-ADF9-F842B44E179E}HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{4B674F47-D736-4BCC-B81D-FD1BFB0B27EA}HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{6D09B1D3-8360-4728-BDBF-1AEBBF8724A8}HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{8718928D-CBEB-45EA-A621-800A9249001D}HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{bbed3e08-0b41-11e3-8249-806e6f6e6963}

Hi, I both wrote it over and copy/pasted it, but nothing happened. Is there something I'm missing? it just pops back up saying C:\Windows\system32> Also, I actually did a restore yesterday because my computer was giving me grief, and Malwarebytes says the Trojan is still there. I'm using Windows 8 by the way if that makes a difference.

I do not, so you're saying it just thinks there is one and I should tell malwarebytes to ignore it?

I tried the scan, however nothing was found. Here attached is the log of it. TDSSKiller.3.0.0.40_25.08.2014_10.36.04_log.txt

Sorry I think I posted the wrong log, here was the actual scan. check.txt

Oh Sorry, here it is. exportedlog.txt

Oh I did, I just created the log before I quarantined/deleted it, thats all. Here is the log after I "got rid" of it. Its the same Trojan that wont go away though. protection-log-2014-08-25.xml

Here it is, it still says the trojan is there however. newscan.txt

Here it is. Should I start thinking about doing a system restore soon? FRST.txt

Correct, it still says the Trojan.DNSChanger is still there...

I have windows 8 however I managed to get to those options and it was already set to get the IP and DNS automatically?

Correct, I have used a wired connection once or twice but that's it. I live on campus at college and I use either the school's WIFI or my router's WIFI.

Okay, I redownloaded the attached file and used it, and here was the result: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 22-08-2014Ran by User at 2014-08-23 02:09:14 Run:2Running from C:\Users\User\DesktopBoot Mode: Normal============================================== Content of fixlist:*****************cmd: ipconfig /all***************** ========= ipconfig /all ========= Windows IP Configuration Host Name . . . . . . . . . . . . : MSI Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Ethernet: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : spsu.edu Description . . . . . . . . . . . : Killer e2200 Gigabit Ethernet Controller (NDIS 6.30) Physical Address. . . . . . . . . : 44-8A-5B-46-B3-F3 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Wireless LAN adapter Local Area Connection* 3: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter Physical Address. . . . . . . . . : 80-00-0B-07-75-A7 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Ethernet adapter Bluetooth Network Connection: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network) Physical Address. . . . . . . . . : 80-00-0B-07-75-AA DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Wireless LAN adapter Wi-Fi: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel® Centrino® Advanced-N 6235 Physical Address. . . . . . . . . : 80-00-0B-07-75-A6 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2601:0:b800:665:249e:d97a:6a8e:5915(Preferred) Temporary IPv6 Address. . . . . . : 2601:0:b800:665:1df5:f705:6f94:1ac0(Preferred) Link-local IPv6 Address . . . . . : fe80::249e:d97a:6a8e:5915%3(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.6(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Saturday, August 23, 2014 1:56:32 AM Lease Expires . . . . . . . . . . : Sunday, August 24, 2014 2:04:19 AM Default Gateway . . . . . . . . . : fe80::21d:d4ff:fe22:9771%3 fe80::c23f:eff:fedc:6cec%3 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DHCPv6 IAID . . . . . . . . . . . : 58720267 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-75-0F-BB-80-00-0B-07-75-A6 DNS Servers . . . . . . . . . . . : fe80::c23f:eff:fedc:6cec%3 192.168.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.{770D8A2E-7E3C-45B5-8C5C-610246E44892}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter Teredo Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:3c21:259c:b39e:18d1(Preferred) Link-local IPv6 Address . . . . . : fe80::3c21:259c:b39e:18d1%8(Preferred) Default Gateway . . . . . . . . . : DHCPv6 IAID . . . . . . . . . . . : 285212672 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-75-0F-BB-80-00-0B-07-75-A6 NetBIOS over Tcpip. . . . . . . . : Disabled ========= End of CMD: ========= ==== End of Fixlog ====

I did, and its still there. Granted its back to the one item, but it is still detecting it to be there. Heres a copy of the log I saved: Malwarebytes Anti-Malwarewww.malwarebytes.org Scan Date: 8/22/2014Scan Time: 9:47:14 AMLogfile: Stillmorevirus.txtAdministrator: Yes Version: 2.00.2.1012Malware Database: v2014.08.22.05Rootkit Database: v2014.08.21.01License: TrialMalware Protection: EnabledMalicious Website Protection: EnabledSelf-protection: Disabled OS: Windows 8.1CPU: x64File System: NTFSUser: User Scan Type: Custom ScanResult: CompletedObjects Scanned: 489001Time Elapsed: 32 min, 3 sec Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: Enabled Processes: 0(No malicious items detected) Modules: 0(No malicious items detected) Registry Keys: 0(No malicious items detected) Registry Values: 0(No malicious items detected) Registry Data: 1Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{A08CD2E7-3713-422E-86C5-5051197859C8}|DhcpNameServer, 168.28.176.11 198.72.72.10, Good: (), Bad: (168.28.176.11 198.72.72.10),,[98015e6b057684b219445688d034a060] Folders: 0(No malicious items detected) Files: 0(No malicious items detected) Physical Sectors: 0(No malicious items detected) (end)

I just ran the fix, and it required me to reboot which took longer than I expected but oh well. Here are the results: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-08-2014Ran by User at 2014-08-22 07:41:39 Run:1Running from C:\Users\User\DownloadsBoot Mode: Normal============================================== Content of fixlist:*****************Tcpip\Parameters: [DhcpNameServer] 168.28.176.11 168.28.176.253 198.72.72.10emptytemp:cmd: ipconfig /flushdns***************** HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer => value deleted successfully. ========= ipconfig /flushdns ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= EmptyTemp: => Removed 511.1 MB temporary data. The system needed a reboot. ==== End of Fixlog ====