Trojan.DNSChanger issue; websites redirecting, cpu usage 100%, and more

[sp1cychick3n]

Hi, I managed to make a mistake and now my laptop is infected with malware that I cannot remove. I started the machine in safe mode twice and did a scan with malwarbytes (I could not open up the program in normal mode) and both times it caught Trojan.DNSChanger and others and I did delete them but when I restarted the machine in normal mode, the problem persisted.

So, I did some search on the web (through my other laptop) and came across this page that consisted on an individual who had the same problem as me:

http://forums.malwarebytes.org/index.php?showtopic=55184

I followed all the instructions that Maniac provided on this page up until it told me to post my results:

http://forums.malwarebytes.org/index.php?showtopic=9573

So here I am, not wanting to go any further without any help (because being hasty is what got me infected in the first place).

While I was doing the GMER Root scan, CPU Usage was 100% and everything was very slow, down to the arrow movement on the desktop. By the time the scan was finished, it was impossible to save the log and I had to shut the computer down and restart it in safe mode. Then I completed the scan there.

Here is my malwarebytes log (that I performed in safe mode):

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4152

Windows 6.0.6001 Service Pack 1 (Safe Mode)

Internet Explorer 8.0.6001.18928

7/2/2010 12:37:28 PM

mbam-log-2010-07-02 (12-37-28).txt

Scan type: Quick scan

Objects scanned: 127416

Time elapsed: 5 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.64,93.188.161.204 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{97f3b5dd-94ec-4848-8193-9ee1f1c3e7a2}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.64,93.188.161.204 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e0a69b14-8736-40d2-8fdc-9ade26b4e345}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.64,93.188.161.204 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e0a69b14-8736-40d2-8fdc-9ade26b4e345}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.64,93.188.161.204 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here is the DDS log (This scan was done in normal mode):

DDS (Ver_10-03-17.01) - NTFSx86

Run by Pahuja at 2:07:34.22 on Fri 07/02/2010

Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_20

Microsoft

Attach.zip

[GT500]

Please download ComboFix from this link, save it on your desktop, turn off your anti-virus software, and run the ComboFix download that you had saved on your desktop.

Combofix will ask you a few questions (such as whether or not you want to install the Windows Recovery Console), give you some general warnings about not using it without supervision, and it will give you some general information about the tool. Please note that the Windows Recovery Console is not required to run ComboFix, and that you do not need it if you have a Windows XP disk.

ComboFix usually takes about 10 minutes to run, unless your computer is heavily infected. It will run through about 50 different stages (listing them all on the blue window that popped up while it was running), and if it does not advance to the next stage after about 10 minutes then that is usually a sign that your anti-virus software is interfering with it.

Once ComboFix is done, it will remove anything that it knows is malicious, and restart your computer. If it didn't find anything malicious, then it will skip that step. The final step takes a few minutes, and when it is done it will open a log in Notepad. Please either copy and paste this log into a reply, or save it on your desktop as a Text Document and attach it to a reply. Please do not take screenshots of the log, or save it as a Word Document.

[sp1cychick3n]

Here is the log from ComboFix (attached).

combofix_log.txt

[GT500]

OK, I have written a script that will tell ComboFix how to delete some things that I saw in the log. Here are instructions on what to do with the script.

1. Turn off your Anti-Virus software.
   
2. Click your Start button, go to All Programs (or just Programs on Vista), go to Accessories, and then open Notepad.
   
3. Please copy and paste the contents of the CODE box below into Notepad (here is a link to instructions if you do not know how to copy and paste):
   

   http://forums.malwarebytes.org/index.php?showtopic=56284
   
   KillAll::
   
   Registry::
   [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   "ProxyOverride"=-
   "ProxyServer"=-
   "ProxyEnable"=0
   [-HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^00ae20f1ee0be72727a6c6dbf4ecd775.31.dll.lnk]
   [-HKLM\~\startupfolder\C:^Users^Pahuja^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^00ae20f1ee0be72727a6c6dbf4ecd775.31.dll.lnk]
   
   RegLock::
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
   [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
   [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
   [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
   
   RegNull::
   [HKEY_USERS\S-1-5-21-932318107-788214011-4154406407-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7A628DB2-291B-61FE-9A1D-A9E6E7E3D4C0}*]

   
   

4. Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).
   
5. Close Notepad and verify that the CFScript file is saved on your desktop.
   
6. Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:
   
   

When finished, it will display a new log in Notepad. Please either copy and paste the contents of that log into a reply, or save the log on your desktop and attach it to a reply.

[sp1cychick3n]

Here is the new combofix log (attached).

Combofix_log_2.txt

[GT500]

OK, that log is looking better.

Please run an online virus scan through ESET. Here are the steps:

1. Turn off your anti-virus software.
   
2. Click on this link.
   
3. Click on the "ESET Online Scanner" button.
   
4. Put a check in the box that says "YES, I accept the Terms of Use."
   
5. Click the 'Start' button just to the right of the checkbox.
   
6. Uncheck the box that says "Remove found threats" (this is very important).
   
7. Click on "Advanced settings".
   
8. Put a check in the box that says "Scan for potentially unsafe applications".
   
9. Verify that "Scan for potentially unwanted applications" is also checked.
   
10. Verify that "Enable Anti-Stealth technology" is also checked.
    
11. Click the 'Start' button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
    
12. When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
    
13. Save that text file on your desktop, and then copy and paste it into a reply for me.
    
14. Close the ESET online scan.
    

I will take a look at the log, and let you know if anything needs removed.

[sp1cychick3n]

Here is the ESET Log:

C:\Program Files\Unlocker\eBay_shortcuts_1016.exe a variant of Win32/Adware.ADON application

C:\ProgramData\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent trojan

C:\Qoobox\Quarantine\C\Windows\Sgenya.exe.vir a variant of Win32/Kryptik.FGW trojan

C:\Users\All Users\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent trojan

C:\Users\Pahuja\AppData\Local\Mozilla\Firefox\Profiles\77fj2488.default\Cache\812C1317d01 Win32/TrojanDownloader.FakeAlert.BAK trojan

C:\Users\Pahuja\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\6e49cf76-75f5976e a variant of Java/TrojanDownloader.Agent.NAA trojan

[GT500]

1. Please download The Avenger (by Doug Swanson) from this link, and make sure to save it on your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
  
• Follow the prompts and extract the avenger folder to your desktop
  

2. Copy all the text contained in the CODE box below, and it will be pasted into The Avenger in a later step (if you do not know how to copy and paste, then there are instructions at this link):

Files to delete:
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe
C:\Users\Pahuja\AppData\Local\Mozilla\Firefox\Profiles\77fj2488.default\Cache\812C1317d01
C:\Users\Pahuja\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\6e49cf76-75f5976e

Note: the above code was created specifically for the person requesting assistance in this forum topic, and it is based entirely on the logs they supplied from their computer. No one else should attempt to run The Avenger with this script, as it may damage their computer!

3. Now, open the avenger folder on your desktop and start The Avenger program by double-clicking on its icon.

• Please paste the contents of the CODE box above (which you should have already copied) into the white box in The Avenger (see example picture below).
  
• Click on the Execute button in the low-right corner (see example picture below).
  
  
• Answer "Yes" twice when prompted.
  

4. The Avenger will automatically do the following:

[*] It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)

[*] On reboot, it will briefly open a black command window on your desktop, this is normal.

[*] After the restart, it creates a log file that should open with the results of Avenger

[sp1cychick3n]

Here is the content of the avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File "C:\Program Files\Unlocker\eBay_shortcuts_1016.exe" deleted successfully.

File "C:\Users\Pahuja\AppData\Local\Mozilla\Firefox\Profiles\77fj2488.default\Cache\812C1317d01" deleted successfully.

File "C:\Users\Pahuja\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\6e49cf76-75f5976e" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[GT500]

I assume you are now able to run the update in Malwarebytes' Anti-Malware and run a Quick Scan with Windows running normally? If so, then please copy and paste the log into a reply.

[sp1cychick3n]

Yes, I was able to update malwarebytes and scan. There were two items found and I removed them. Here is the log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4289

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18928

7/7/2010 12:50:01 PM

mbam-log-2010-07-07 (12-50-01).txt

Scan type: Quick scan

Objects scanned: 136682

Time elapsed: 9 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\UBC5AB1IDP (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\EWABQAF7KL (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[GT500]

OK, just some left over registry keys. Things are looking good.

How is your computer working now? Is everything back to normal?

[sp1cychick3n]

Definitely better than before, when I couldn't even open any program. Anything else left to do? What about re-enabling defrogger?

[GT500]

... Anything else left to do? What about re-enabling defrogger?

Yes, re-enable anything you disabled before posting this topic, and you can delete any of the utilities we used and the logs they saved.

Also, if you would like to read an article on preventing this type of stuff from happening again, then I have a mostly completed one at this link (I'll finish it one of these days, but at least the software section is pretty good).

[GT500]

Since your computer appears to be cleaned up, I am closing this topic to prevent it from being hijacked. If you have any further issues, then please send me a private message, and I will be happy yo reopen this topic.