zlob.dnschanger / trojan.dnschanger

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by petes1980, Nov 1, 2008.

  1. petes1980

    petes1980 Private E-2

    Hi

    My works office computers have all been infected with the trojan.dnschanger. I have tried everything i can to get rid of it. I have run the following in normal and safe mode and still no luck:

    AVG Anti Virus
    Spyware Doctor
    Adaware
    SUPERAnti Spyware
    Malwarebytes (this is the best at detecting it)
    CCleaner (just to clean temp files etc)

    I also have Hijack this, Combofix and Malwarebytes logs i can post. Can someone let me know what they need me to post to get this thing off our computers. When i run Malwarebytes, it finds 6 trojan.dnschanger registry files, it removes them and then about 10 minutes later they come back. They only come back when i am connected to the internet tho. If i restart my comp when not connected to the internet then Malwarebytes won't find anything. Please help me asap as we have 8 machines here infected and its crippling my business!

    Thankyou in advance
    Pete
     
    petes1980, Nov 1, 2008
    #1
  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi Pete and Welcome to Majorgeeks


    Yes logs will indeed help but we do have a set of steps that we need following as this gets your PC/s to a known state and along the way generated a few logs that will need attaching to your next posts.

    If their are multiple PCs involved with this malware infection then what I would do as the fix maybe slightly different for each and to keep things fro becoming confusing i would start a new thread for each PC involved with this malware infection and name the thread something like zlob.dnschanger / trojan.dnschanger infection PC #1 and then #2 etc


    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    Notes:

    1. If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

      plus a guide on how to attach the logs HOW TO: Attach Items To Your Post
     
    DavidGP, Nov 1, 2008
    #2
  3. petes1980

    petes1980 Private E-2

    Thankyou for your reply.

    Ok, I have attached the Malwarebytes log file, Combofix log file and the MGTools.zip for you. I haven't attached the SUPERAnti Spyware file because it doesn't ever find anything, trust me i have run that program about 15 times on 7 different machines here and it doesn't find anything. Spybot also didn't find anything either. The only programs to find anything are Spyware Doctor (usually finds 3 registry entries) and Malwarebytes (usually finds 6 registry entries).

    I really hope you can help. We have also tried the Kaspersky Online scanner which found nothing, the Trend Micro "Worry Free Business Security" on a trial version which found nothing, the Trend Micro System Cleaner (just on the XP machines) which found nothing. I'm running out of programs to run here!

    I hope you can see what is causing this. If i remove the registry entries with Malwarebytes and restart the computer without network connection, and then run Malwarebytes again then it won't find anything. As soon as you then activate the interet connection it and run Malwarebytes it will find another 4 or 6 of the same entries.

    Cheers
    Pete
     

    Attached Files:

    petes1980, Nov 1, 2008
    #3
  4. petes1980

    petes1980 Private E-2

    How to get rid of trojan.dnschanger/zlob.dnschanger

    To all those who have been infected with the trojan.dnschanger as i was these last few days. I couldn't quite understand why if i ran Malwarebytes, cleared the infections then restarted my computer WITHOUT a network connection, the infection seemed to be cleared. Then AS SOON AS i connected to the internet it would come back again. Finally the obvious dawned on me, it had actually changed the settings of my internet connection. It had caused it to connect with its own DNS records instead of Automatically getting them from the ISP.

    In my case it had actually changed the settings on my router which is why it affected all 8 machines that connected through the router. As soon as i removed those settings and returned it back to automatically get them from the ISP, everything was fine.

    So, to get rid of this unbelievably annoying infection, disconnect from the internet, run Malwarebytes to clear any remaining infections, and remove the amended dns settings. Restart your computer, connect to the internet, perform a final Malwarebytes quick scan to make sure it has gone and then continue with your life happy in the knowledge you have overcome another annoying infection :-D
     
    petes1980, Nov 2, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since MBAM has removed your infection and you are saying that it comes back, it sounds like that rest of the process for removing this infection (also commonly called a WareOut infection) has not been finished. These instructions are included in the below procedure

    WareOut Removal

    The above proecedure and the infection you mentioned were mentioned in another sticky thread title:

    Special Removal Procedures - SmitFraud,Virtumonde,Qoologic,SpyAxe,Look2ME,Zlob


    I'm not sure if FixWareOut supports Vista, but you could disconnect your PC from the internet, run MBAM, and then follow the remaining instructions in the WareOut Removal procedure to get your network settings restored to the proper DNS server.
     
    Last edited: Nov 2, 2008
    chaslang, Nov 2, 2008
    #5
  6. petes1980

    petes1980 Private E-2

    I did see that thread and tried to act on it but both links to that FixWareout are broken so i figured the thread was obsolete now.

    Changing the dns settings on our router did however fix the problem so we are all trojan free here now!

    Thankyou for your help.
     
    petes1980, Nov 3, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes the tool itself is obsolete since other scanners now pickup the infections and remove them. However obviously some manual steps like I had given in that procedure will still need to be run. I'll have to update that thread to remove FixWareOut and insert MBAM but keep the rest. ;)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Nov 3, 2008
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds