#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2010
    Posts
    3
    Rep Power
    0

    TrojanDNSchanger evades anti-virus


    Let me start by saying that I have had this laptop for less than a month and have no qualms about resetting it to factory settings since it is completely backed up. Bear in mind if I did this it would not be via a disc (ironically I was reminded by windows to do such a thing but have been prevented from doing this due to the presence of the Trojan) and was wondering if this would still work since the thing is in the registry. Grrr. This is the beginning of a long complicated process.

    I also think that the Trojan originated in my old laptop and has somehow been carried over with my old programs/files but I'm unsure if this can happen.

    I ran malwarebytes on this thing and will paste the log as follows:

    Malwarebytes' Anti-Malware 1.46

    Database version: 4366

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    31/07/2010 15:29:44
    mbam-log-2010-07-31 (15-29-44).txt

    Scan type: Quick scan
    Objects scanned: 130456
    Time elapsed: 5 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.166.105 93.188.161.105 1.2.3.4 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{46ced512-734b-42a8-bb72-8573e194ef9d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.166.105 93.188.161.105 1.2.3.4 -> Not selected for removal.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    this was the initial message. I rebooted and the report was clean. I shutdown entirely however and the infection returned.

    Bitdefender for some reason was marked as a broken link for me. Superantispyware found no problems. My existing programs Norton, Avast and Spybot found nothing. Malwarebytes detects the Trojan but doesn't seem to be able to move it. I can't run hijack this as an admin since the computer does not give me the option despite full permissions being given to all users. I have run a scan and can provide screenshots but would like to know if the scan would be performing properly at all since the log appears blank when I try to save it.

    The Trojan itself as suggested in the name redirects my browser. I have reset all of my passwords and personal information from another (clean) computer since I don't know what else this thing could be providing a backdoor to.

    Should I provide screenshots? I also couldn't find a log for my superantispyware. And yes, a rookie mistake letting this thing infect my computer but it is nigh on invisible to any other program but malwarebytes.

    ....help?
  2. #2
  3. No Profile Picture
    Grumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,445
    Rep Power
    4539
    Just a guess from what you posted, try setting your computer to a fixed IP address and eliminate DHCP from the picture. Another thing to check is the DHCP server configuration (your router most likely).
    ======
    Doug G
    ======
    Bartender to Rene Descartes "have another beer?" Descartes: "I think not" and he vanished.
    --Alfred Bester
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2010
    Posts
    3
    Rep Power
    0
    Originally Posted by Doug G
    Just a guess from what you posted, try setting your computer to a fixed IP address and eliminate DHCP from the picture. Another thing to check is the DHCP server configuration (your router most likely).
    Thank you Doug G - I will stress again that I live up to my name in many ways and have no idea how to set the address or eliminate the DHCP. Could you please tell me how?
  6. #4
  7. No Profile Picture
    Grumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,445
    Rep Power
    4539
    Originally Posted by ArchetypalIdiot
    Thank you Doug G - I will stress again that I live up to my name in many ways and have no idea how to set the address or eliminate the DHCP. Could you please tell me how?
    Control panel - network settings - your adapter - tcp/ip properties.
    ======
    Doug G
    ======
    Bartender to Rene Descartes "have another beer?" Descartes: "I think not" and he vanished.
    --Alfred Bester
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2010
    Posts
    2
    Rep Power
    0
    hello, i'm interested if you have fixed this "malware". i quoted malware since up to this point it is still not established, IMHO, that it is so. could be some misconfigured apps misbehaving.

    have you tried using Avira? also if you can remove the hard disk and attached it to a clean laptop as an external hard disk and try scanning it from there. that way whatever malware, if there is, exists in that hard disk it will be inactive.
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2010
    Posts
    3
    Rep Power
    0
    Thanks guys - I have actually eliminated it for now it appears by doing the following:

    logging in in safe mode - running malwarebyes - removing the Trojan again - removing all temporary files and cookies - turning off system restore - rebooting the PC - resetting my router pass/configuration

    I was poking around a bit for information on this particular Trojan and I heard that it might be able to spread through a particular network so I had the other computer checked with Malwarebytes too and thankfully it was clean.

    I left system restore off because from what I've read it appears the Trojan was being restored with the rest of the system which is why it probably kept disappearing before a full reboot then appearing straight after. I'm not being redirected anymore but this particular virus is a little like the monster in the horror movie - is it dead or is it? I only just reactivated system restore and am scanning every time I boot up.

    So far, so good though I will keep these suggestions as good alternatives. Thanks everyone - posted the above in case it's helpful to anyone having the same issue but if it returns I'll let you know.
  12. #7
  13. No Profile Picture
    Grumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,445
    Rep Power
    4539
    I'm glad you got a solution.
    ======
    Doug G
    ======
    Bartender to Rene Descartes "have another beer?" Descartes: "I think not" and he vanished.
    --Alfred Bester

IMN logo majestic logo threadwatch logo seochat tools logo