Staff Metallica Posted July 8, 2012 Staff ID:568037 Share Posted July 8, 2012 What is Trojan.DNSchanger?The Malwarebytes research team has determined that Trojan.DNSchanger is an internet hijacker. These so-called "hijackers" change the settings of your internet connection so that you end up at the sites of their choice. In extreme cases they may even change the DNS servers on your routers to reach that goal. You are strongly advised to follow our removal instructions below.Do this as soon as possible because at one point you may your use connection entirely and you may have to contact your service provider to get reconnected. Why? The rogue DNSChanger servers will permanently shut down on July 9 2012, meaning users have only a few days to scan their PCs for faulty DNS settings and possibly prevent being cut off from the internet.How do I know if I am infected with Trojan.DNSchanger?You may have seen these warnings on Facebook or Google:How did Trojan.DNSchanger get on my computer?Rogue programs use different methods for spreading themselves. This particular one was spread in a phishing mail about Paypal.How do I remove Trojan.DNSchanger?Our program Malwarebytes Anti-Malware can detect and remove this rogue application.Please download Malwarebytes Anti-Malware to your desktop.Double-click mbam-setup.exe and follow the prompts to install the program.At the end, be sure a check-mark is placed next to the following: Update Malwarebytes Anti-Malware Launch Malwarebytes Anti-Malware[*]Then click Finish.[*]If an update is found, it will download and install the latest version.[*]Once the program has loaded, select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected. Reboot your computer if prompted.[*]When completed, a log will open in Notepad. The rogue application should now be gone.Is there anything else I need to do to to regain control over the DNS settings?It may be necessary to change the settings of your router if these haven been altered by the malware. It does that by trying the default login credentials of your type of router.If you changed the login or password before you were infected, then it would have been unable to do so.You can find an extensive list of router brands and the way to change their DNS servers here: https://store.opendns.com/setup/router/ . You can use the OpenDNS values shown in the guides or use the ones provided by your ISP.Usually this can be done by entering the IP address of the router in your browser and logging in. Most manufacturers publish the default passwords on pages like this one by Netgear where you can find the default password for your router, in case you no longer have the manual.Most of the time they will also tell you how to reset the router to the default settings in case you do not remember the password. But, as mentioned before, if you have changed the password in the past, then the DNS settings would not have been changed by the DNSchanger.We strongly recommend to change at least your password, needed to enter the router settings, away from the default.Technical details for expertsSigns in a HijackThis log:O17 - HKLM\System\CCS\Services\Tcpip\..\{40F4E25A-FA42-41FC-B400-812BFD5879AC}: NameServer = 85.255.115.235,85.255.112.171 O17 - HKLM\System\CCS\Services\Tcpip\..\{D039210B-81E5-4AE2-96D0-2AB20E55C59A}: NameServer = 85.255.115.235,85.255.112.171 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.235,85.255.112.171 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.235,85.255.112.171Note: the values you find in your log may be different, but at least check if the ones you have in your log are legitimate ones. If you are using a router then your log may look OK, but you could still be a victim. The full version of Malwarebytes Anti-Malware could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & ServersMalware Execution PreventionSave yourself the hassle and get protected. Link to post Share on other sites More sharing options...
Recommended Posts