Help with Trojan.DNSChanger.hg

Welcome to Majorgeeks!

Please install and RENAME HijackThis as requested in step 7 of the READ & RUN ME. Do this now before continuing.

Now run please run this procedure: WareOut Removal


Now Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{13A1CA6E-A12C-4479-917D-99E3AACF8D61}: NameServer = 85.255.115.85,85.255.112.236
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C74E91F-BBBD-4984-812A-69D616B39E74}: NameServer = 85.255.115.85,85.255.112.236
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FC4D1B7-E100-4BFF-A012-7292ECF63BDE}: NameServer = 85.255.115.85,85.255.112.236
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.236
O17 - HKLM\System\CS1\Services\Tcpip\..\{13A1CA6E-A12C-4479-917D-99E3AACF8D61}: NameServer = 85.255.115.85,85.255.112.236
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.236
O17 - HKLM\System\CS2\Services\Tcpip\..\{13A1CA6E-A12C-4479-917D-99E3AACF8D61}: NameServer = 85.255.115.85,85.255.112.236
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.236

After clicking Fix, exit HJT.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You forgot to attach the log requested in the Wareout removal procedure. We need to make sure that it did not indicate any other infected files.

You should also run CounterSpy again and this time let it fix what it finds rather than ignoring them.

Also you need to do the below.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9

Now install the current version of Sun Java from: Sun Java Runtime Environment

 

Look for the below file and delete it! Boot to safe mode and delete if you cannot delete it in normal boot mode.

C:\WINDOWS\SYSTEM32\KDUFR.EXE

Did you tell AVG to FIX? It looks like you took no action?

Did you re-run CounterSpy and have it FIX this time?

Attach a new HJT log so I can be sure nothing came back.

 

Windows Search will not show hidden files unless properly configured as I will show you below. However it is still possible that the file was deleted by the FixWareOut program.

See this to properly configure Windows Search: Searching for Hidden Files on WinXP


Your HJT log is still clean! If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

Have you toggled system restore? If not, please do so. Did you configure the DNS settings as requested in the WareOut Removal procedure. Double check that you have done the below:

• Go into Control Panel -->Network Connections.
• Right click on your connection
• and click Properties.
• On the Properties page, highlight Internet Protocol(TCP/IP)
• Click Properties. This will bring up another page.
• Select Obtain DNS Server Automatically.
• Click the ok button. The page will close.
• Press ok on the page in front of you.
• Restart the computer.
• Reconnect to the Internet using Internet Explorer.

Now check AVG!

 

I think this is a bug in AVG Antispyware. I have seen similar complaints with other malware like this for on example:

http://www.wilderssecurity.com/showthread.php?t=156669

However just for the heck of it, run FixWareOut one more time and attach the new log.

 

It still says the file I asked you to delete is there!


Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\KDUFR.EXE

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now run FixWareOut again and attach a new log. If it no longer shows the file, then also try running AVG Anti-Spyware and see what happens. However if, the FixWareOut log still reports that file, then run the below instead.


Download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

 

Maybe this is part of the problem! Your registry may be locked or your permissions have been changed. Make sure you close ALL applications first and also try it in safe mode. If that does not work I will have you download a tool and I will work up a procedure to remove this registry key. Try the above while I work up a procedure that I will post anyway just incase we need it.

 

Okay! Empty the Quarantine now. And then reboot and run a new AVG scan!

Here is the fix for the locked registry key (if we still need it).

Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to the following key and take ownership of it (I explained how to do that further down).

HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon


To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Now locate the system variable in the right window pane and right click on it and select Delete
• Now in RegistrarLite click View and then Refresh
• Is the system variable still gone.
• Let me know if you get any error messages while doing this

Now I would run FixWareOut one more time and attach the log!

 

Did FixWareOut still show the registry key infected? If not, just complete the final steps that I gave you in message # 10.

 

You're right it was good this time! All clean now!

 

You're welcome. Surf Safely!