DNS Changer problems

Hello,
My AVG anti-spyware keeps picking up the threat Trojan.DNSChanger.hg but never actually removes the problem. I also have Symantec Anti-virus, spybot S&D, and ad aware and none of these detect the trojan. Would you happen to know of a solution to this problem?

Thanks,
Mark

 

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

http://www.majorgeeks.com/images/grenade.gifWhen you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• CounterSpy
• AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

These are my logs.

 

These are the rest of my logs. I ran the Panda Scan and it detected nothing; however, I was unable to get the log of the scan. The bitdefender scan detected nothing as well. Counterspy detected two problems which I removed. Hopefully there's no other problems but I wanted to post these just in case.

Thanks for the help,
Mark

 

I would also like to add that I just ran AVG anti-spyware again and it is still finding the same Trojan.DNSChanger.hg as described earlier yet does not remove it.

 

please don't forget about me!

 

I apologize for the delay, have had some problems setting up my new system. Since it has been a few days can you attach some fresh logs?

 

My first group of attachments

 

The panda scan detected no problems however I was unable to get the log of the scan. I have found that AVG still picks up that same Trojan.DNSChanger.hg even after all these scans so I decided to include that in one of the logs.

Also no problem for the wait and congrats on your new system =)

Thanks for the help,
Mark

 

Have HJT fix the below entry..

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

Next, run CCleaner to clean up cookies and temp files.

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

Once you complete the above, reboot and let me know how things are running and if any problems remain.

 

I completed everything you described above however AVG is still picking up the same Trojan.DNSChanger.hg threat. This causes my searches when using google or MSN to send me to advertisement sites if I click on any of the resulting links instead of the intended website. It seems that AVG is the only thing detecting this problem at the moment yet it does not seem to be able to remove it.

 

I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and and then run one last scan to see if the detection remains.

 

I attemped the procedure you described as well as running the scan again in safe mode and the problem still hasn't been removed.

 

Reboot into Safe Mode and run another scan with AVG Anti-Spyware. Have it remove anything that its find, once completed reboot back to normal mode and attach the log from the scan.

 

Here is my AVG log file.

 

Was this in Safe Mode? Does it come backe everytime you scan?

Please download Blacklight to its own folder...

F-Secure Blacklight

After download is complete, double click to run the program. Click "Accept" to procede. Then click SCAN to begin scanning your system.

Once the scan is complete it will attempt to clean the found infections. There should be a log in the folder that you ran the program from, attach this log to your next post.

 

The AVG scan was done in safe mode and the threat keeps coming back even after I scan and try to remove it. This is the log for the Blacklight program. It detected one hidden file which it didn't remove but gave an option to rename it. I left the file alone for now.

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\kdwwj.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

Once you complete this, reboot once more and attach a fresh log from Blacklight and a fresh AVG scan.

 

Neither scanned detected any problems and the symptoms of the problem appear to be gone thus far. I attached both logs of the scans just in case. Thanks a lot for the help, it's greatly appreaciated.

-Mark

 

Your logs look good, are you having any further problems?

 

I have had no further problems, everything has been working great. Thanks again for your help!

 

You should see this article on How to Protect yourself from malware!

Surf Safely!