Jump to content

Trojan.DNSChanger - MB can't remove

Throwaway333
 Share

Recommended Posts

Throwaway333

Throwaway333

Posted
Posted

Hello,

 

In the last scan Malwarebytes Free edition has detected 2 instances of Trojan.DNSChanger. I have tried removing it and restarting my PC several times but it always comes back.

No other scanner (like Avira, HitmanPro) detect this. I also have no issues on my PC, was just running my weekly scans.

 

HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer

HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{8D45C7E1-D95A-4108-AC8B-156FEC9D46E1}|DhcpNameServer

 

 

I have also provided the log and a picture as an attachment, along the FRST and Addition log from FRST64.

 

While looking for my problem I have also stumbled across several threads (including ones from MB forums like this one - https://forums.malwarebytes.org/index.php?/topic/169206-trojandnschanger/)but are not really of any help to me since I don't really know what to look for in logs and such.

 

 

Thanks.

Addition.txt

FRST.txt

post-197343-0-37844800-1452000065_thumb.

MBlog.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....
 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.
 

Next,

 

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


 

Next,

 

Download and Save McAfee Stinger to your Desktop from here:


 

http://downloadcenter.mcafee.com/products/mcafee-avert/Stinger/stinger32.exe


 

Read the Terms and Conditions, the download tab is at the bottom of the page.

Close all browsers before starting. Disable your antivirus program and anti-malware, if any.

To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs read here:


 

http://www.bleepingcomputer.com/forums/topic114351.html


 

On Windows 7, 8, 10 & Vista systems, Right Click on Stinger stinger.jpg and select Run as Administrator.

On XP, double-click to start it.

Click on “I Accept” tab at McAfee end user licence agreement.


 

Stinger%20a.png


 

In the new Window select “Advanced” then “Settings”


 

Stinger%20b.png


 

The settings window will open, make sure the settings are exactly as shown in the following image, then select “Save” <<------Very Important


 

Stinger%20c.png


 

In the new window Click the “Customize my Scan” under the “Scan” button.


 

Stinger%20f.png


 

In the new Window select C:\ drive and any other listed Hard Drive, then select “Scan”


 

Stinger%20g.png


 

When the scan completes select the “View log” to do that, select “Notepad” if offered in list of choices.

If the log opens in your browser, copy and save to a file....

I will need a copy of that log.

 

Next,

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs....
 

 

Let e see those logs, also let me know if any remaining issues or concerns...

 

Thank you,

 

Kevin

Fixlist.txt

Link to post
Share on other sites
Throwaway333

Throwaway333

Posted
  • Author
Posted
Thanks for the reply, I did as following:

 

 

 

1. Got you the Fixlog.txt - it's attached.

 

 

2. Ran a Malwarebytes scan with your settings -  here is the export:

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 5.1.2016.

Scan Time: 18:42

Logfile: 

Administrator: Yes

 

Version: 2.2.0.1024

Malware Database: v2016.01.05.04

Rootkit Database: v2015.12.26.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: Anej

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 330054

Time Elapsed: 5 min, 46 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 2

Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer, 77.77.192.20 94.140.66.194, Good: (), Bad: (94.140.66.194),Replaced,[e820e155fd9c072fa021d4d0fe06a65a]

Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{8D45C7E1-D95A-4108-AC8B-156FEC9D46E1}|DhcpNameServer, 77.77.192.20 94.140.66.194, Good: (), Bad: (94.140.66.194),Replaced,[1aeec670cccd2b0b952c9c089b69ae52]

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

3. Ran the Stinger scan with all drives selected and your settings, I have it attached as a .txt file. I have noticed it says ''Rootkit scan result : Not Scanned'' although I have selected rootkits in the options.

 

4. Ran FRST once more, the 2 logs are attached.

 

Thanks.

Addition.txt

FRST.txt

Fixlog.txt

McAfee Stinger scan results.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Go here: http://setuprouter.com/networking/how-to-reset-your-router/ follow those instructions and reset your router..

 

Next,

 

Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary.

Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper  <<<---- Scroll to bottom of page

  •   Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool.
  •   From the left hand pane select "Flush DNS"
  •   From the main interface select the dropdown under "Choose a DNS Server"
  •   From the list select either "Google Public DNS" or "Open DNS"
  •   From the left hand pane select "Apply DNS"
  •   When done re-boot your system....

 
Next,
 
Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.



To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


 

Next,

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs....
 

Post those logs to your reply...

 

Thank you,

 

Kevin

Link to post
Share on other sites
Throwaway333

Throwaway333

Posted
  • Author
Posted

Hello Kevin, sorry for the delay,

 

 

1. Reset my router

 

2. I did everything in DNSjumper as instructed.

 

3. Ran another MB scan, it got 0 detections this time, here is the log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 6.1.2016.
Scan Time: 13:08
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.01.06.03
Rootkit Database: v2016.01.05.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Anej
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 332060
Time Elapsed: 6 min, 25 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 

(end)  

 

 

4. Ran FRST once more time, I attached the 2 .txt files.

 

Thanks.

Addition.txt

FRST.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for theose logs, run the following and post the produced logs...

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.
 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...

 
Next,
 
thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....
 

Post those logs, also let me know if you have any remaining issues or concerns...

 

Thank you,

 

Kevin

Fixlist.txt

Link to post
Share on other sites
Throwaway333

Throwaway333

Posted
  • Author
Posted

Thanks for the fast reply.

 

1. I ran FRST again, files are attached.

 

2. Ran ADWCleaner, log is attached.

 

3. Ran Junkware removal tool, the log is short so I copy/pasted it, also attached it.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 7 Ultimate x64 
Ran by Anej (Administrator) on sri 06.01.2016. at 14:43:56,15
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 0 
 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on sri 06.01.2016. at 14:45:18,99
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 

 

4. Ran MS MSRT - 

 

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.31, December 2015 (build 5.31.12100.0)
Started On Wed Jan 06 14:49:48 2016
 
Engine: 1.1.12300.0
Signatures: 1.211.637.0
 
Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 06 14:51:52 2016
 
 
Return code: 0 (0x0)
 
 
 
Regarding any concers... I don't know, should I be concerned? Is it good now? And should I change any passwords, anything similar? Thanks.

AdwCleanerC1.txt

Fixlog.txt

JRT.txt

Link to post
Share on other sites
Throwaway333

Throwaway333

Posted
  • Author
Posted

Hey again,

 

I'm glad to hear that, I ran MB once again to see if it will detect it, but it showed nothing. I have disabled system restore manually because of the SSD and cause I never really use it.

I hope thats it then. I renabled all my security and will change some main passwords. Thanks a lot for your help.

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for the update, system restore is worth having active, it does not make any difference that you have SSDrive. Having a registry backup is definitely recommended.... if we are good to go run the following to clean up:

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:



  •    
  • Remove disinfection tools
       
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Not needed as SR is off
       
  • Reset system settings



Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin...  busy.gif


 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.