DNS Changer cannot get rid of it

Discussion in 'Malware Help (A Specialist Will Reply)' started by hookturn2, Apr 4, 2010.

  1. hookturn2

    hookturn2 Private E-2

    I ran the malware removal from you guide. SuperAnti spyware found nothing so I won't attach the log. I could not run Malwarebytes I get an error message that says MDAM error_load_database(0,0) I am attaching the log from combo fix and root repeal, and the zip from MGtools. I could not shut down AVG .9 nor could I remove it before I ran combo fix. I recieved a message that I have attached. The DNS changer shows up in HKEY_Local_Machine\System\CurrentControlSet\services tcp\parameters\DchpNameServer and in Interfaces and a letter number string that has changed since I was able to run Malwarebyts a week ago the ip address is from the Urkraine. it is 93.188.161.105 and 93.188.166.105This is a tough one. I have another computer hooked up through a router and it has it too now. I guess it came from mine throught the router to the other one. I have tried a few different time to get rid of this. I guess I may have to format my hard drive if I cannot get rid of it. I hope you guys can help.
    Thanks,
    Gary
     

    Attached Files:

    hookturn2, Apr 4, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You had signs of a DNS hijacker infection that has mostly been removed. The infection you have is known to infect router hardware. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup. After doing this, continue with on with the below.


    Download HostsXpert and then follow the below steps.

    * Unzip HostsXpert.zip
    * It will create a folder named HostsXpert in whatever folder you extract it to.
    * Run HostsXpert.exe by double clicking on it.
    * Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    * Click Restore Microsoft's Hosts File and then click OK.
    * Click the X to exit the program

    Now:
    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

SecCenter::
{7591DB91-41F0-48A3-B128-1A293FD8233D}

File::
C:\Documents and Settings\All Users\Application Data\kbkwknay.ayh

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B3312915-9368-4FE4-8D4E-B60E5B36D0FF}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5D33A26-F043-4808-B335-6B10630E04F8}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc600575-3013-4e8e-941c-4b00dafce730}]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 5, 2010
    #2
  3. hookturn2

    hookturn2 Private E-2

    I cannot get rid of AVG free, when I go to add remove and try and remove I get this:
    Local machine: installation failed
    Installation:
    Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
    Access is denied.
    What should I do, should I run MG Tools and Combofix anyway?
     
    hookturn2, Apr 6, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes.
     
    TimW, Apr 6, 2010
    #4
  5. hookturn2

    hookturn2 Private E-2

    Tim, I have one other question before I begin. you said 'The infection you have is known to infect router hardware. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup. After doing this, continue with on with the below.

    If the router is infected and I get rid of the trojan on it, won't it get reinfected as I am trying to get rid of the trojan on my computer? Should I go directly to the modem or should I just work offline?
    By the way, thank you very much.
     
    hookturn2, Apr 6, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you reset your router and then do my fix while keeping the computer disconnected from the router, you will be fine. After the fix, reconnect and attach the requested logs.
     
    TimW, Apr 7, 2010
    #6
  7. hookturn2

    hookturn2 Private E-2

    Here are the logs. I still cannot download Malwarebytes, nor can open my PC tools Spyware Doctor with Anti virus. When I try to download MBam I get a message MBAM_Error updating(12007,0,WINHttpSendRequest) when I try to smart update it says UPLOAD FAILED error downloading list of updates please try again.
    and this IP address is still in my registry 93.188.161.105 93.188.166.105. it is under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl\Set\Services\Tcpip\Parameters\DhcpNameServer
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C3BE354F-9C3E-483C-8440-7DC1E01F38AE}\DhcpNameServer

    Back when Malwarebytes first found this it said Trojan DNSChanger after the addresses and I have been trying to get rid of it ever since.
     

    Attached Files:

    hookturn2, Apr 7, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Let me know it that works. You may need to go into your LAN configuration and check your settings.
     
    TimW, Apr 8, 2010
    #8
  9. hookturn2

    hookturn2 Private E-2

    I did a bunch of work to my machine last nite and this morning and am able to log on and download Malwarebytes. I just ran the fixMe.reg and then ran Malwarebytes and the log is below. I have a disk that will take my hard drive down to 0. it will wipe everything to an unrecoverable state. it looks like I may have to use it. I have had a friend who is also a major geek go through this just the other day and could not find this malware trojan. :cry Do U have any other ideas?
     

    Attached Files:

    hookturn2, Apr 8, 2010
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you ever reset your router back to factory defaults? If not, you need to do this since DNS changer infections can change the router. It would even be a good idea after the reset, to look for any available router firmware update and install it.

    You should also supply a new log from MGtools for Tim to look at afterwards.
     
    chaslang, Apr 9, 2010
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Esp. since your MBAM log indicates that you didnt allow it to fix what it found!! So please attach a log showing that MBAM fixed those issues as well as the new MGLogs.zip.
     
    TimW, Apr 9, 2010
    #11
  12. hookturn2

    hookturn2 Private E-2

    I had net gear check my router and it was not infected so I didn't have to do anything with it.
    I tried to include a screen shot of what MB found before the fix, and after I fixed and rebooted but they are too big. what you would have seen though is the two trojan DNS changers with thier addresses. After reboot there it is again. The problem is there are no scans that get down into the system root, and find where this file is, so it's is put right back after reboot. I have included the MGtools hijack this file as well. I put different DNS addresses in, so my machine is not being routed through the changer but it is still on my system and I cannot find it. I will keep hunting and if I find it I will let you guys know. Unless of course you already know where this thing might be? Right now I am just not doing anything that I don't want the bad guys to know about. If they want to watch me play online scrabble, or watch a quantum physics lecture from MIT good for them. What I would really like to do is run something back through that IP address that would fry thier server.

    Thanks for all you advice. I am going to have to send the files

    Gary
     

    Attached Files:

    hookturn2, Apr 11, 2010
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Although the HJT log you attached is clean, I wanted a new MGLogs.zip.
     
    TimW, Apr 11, 2010
    #13
  14. hookturn2

    hookturn2 Private E-2

    There ya go, my misunderstanding. I am going to run a registry clean, uniblue registry booster so some of those invalid entries and shortcuts that don't exist anymore will be gone.

    Please let me know if anyone figures out where this bugger is hiding?

    Thanks again.
     

    Attached Files:

    hookturn2, Apr 12, 2010
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Tell me how things are.
     
    TimW, Apr 12, 2010
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds