Jump to content

Trojan DNS Changer

Recommended Posts


I need some help. I am doing a POC and one of the machine I scanned with MBAM was infected by a Trojan DNS changer. Customer was aware of this and thought Malwarebytes could remove it. They don’t know how the infection occurred.

When I deployed the Malwarebytes agent, it could not register with the server due to the fact that the DNS were changed. I changed them back and the agent was able to register. I ran a scan and found some Trojan and adware as seen in the attached screen shot. After cleaning and rebooting the machine, the DNS got changed again. I checked and found a schedule task which was invoking one of the file into the folder where the adware was located. C:\Windows\system\my1.bat. This task had multiple triggers, which I could not see. Anyway, I deleted this task and ran a full scan again. The same pieces of infections got detected. I also downloaded our anti-rootkit tool and ran a scan which came out clean. I changed the DNS back and rebooted. Still, the same issue occurred. I think some registry keys or other system settings must have been changed to establish persistence but I could not figure out which one.

I copied the virus total report for two of the files as well as the hybrid analysis report:




The samples can be downloaded via the below link:



I also attach the scripts invoked by the registry key and by the schedule task:


Task: C:\Windows\Tasks\my1.job => c:\windows\system\my1.bat <==== ATTENTION (in addition)

HKLM\...\Run: [BGClients] => cmd /c start /min c:\windows\system32\wbem\123.bat (FRST)









Edited by MehdiB
adding info
Link to post
Share on other sites

  • 1 month later...
This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.