Removing Trojan.DNSChanger?

December 10, 2010 at 01:40:46
Specs: Windows 7

I've looked around how to get rid of this trojan but it keeps coming back.
Malwarebytes reads this:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 10.10.10.1 93.188.161.105 93.188.166.105 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8a866960-87ce-40b9-ad94-b308ef0bc62f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 10.10.10.1 93.188.161.105 93.188.166.105 -> Quarantined and deleted successfully.

See More: Removing Trojan.DNSChanger?

Report •


#1
December 10, 2010 at 07:02:57

please check the dns settings on both your router if you have one and the pc. I recommend that this be done in safe mode. then, redownload a copy of malwarebytes with the most current descriptions. i suggest running malwarebytes in safe mode.

mike


Report •

#2
December 12, 2010 at 22:12:24

Check and what?

I have redownloaded malewarebytes and scanned in safe mode but it still comes back. Now I get this:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Bad: (93.188.161.105) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Bad: (93.188.166.105) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8A866960-87CE-40B9-AD94-B308EF0BC62F}\DhcpNameServer (Trojan.DNSChanger) -> Bad: (93.188.161.105) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8A866960-87CE-40B9-AD94-B308EF0BC62F}\DhcpNameServer (Trojan.DNSChanger) -> Bad: (93.188.166.105) Good: () -> Quarantined and deleted successfully.


Report •

#3
December 14, 2010 at 12:09:11

Here is my suggestion though it may take a little computer knowing. Open up the registry and search for dhcpnameserver and see what comes up.

then go into your file search and look for the same dhcpnameserver.

then let me know what comes up with both(don't delete anything yet, messing with the registry can cause all sorts of problems.)

mike


Report •

Related Solutions

#4
December 15, 2010 at 00:49:59

Yeah, I'm not sure if I'm doing this correctly. Found these in the registry while searching for DhcpNameServer:
HKEY_LOCAL_MACHINE\SYSTEM\services\Dhcp\Parameters\Options\44
Name: RegLocation
Type: REG_MULTI_SZ
Data: SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_?\DhcpNameServerListSYSTEM\CurrentControlSet\Services\NetBT\Adapters\?\DhcpNameServer

HKEY_LOCAL_MACHINE\SYSTEM\services\Dhcp\Parameters\Options\6
Name: RegLocation
Type: REG_MULTI_SZ
Data: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpNameServerSYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer

\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\Interfaces\Tcpip_{8A866960-87CE-40B9-AD94-B308EF0BC62F}
Name: DhcpNameServerList
Type: REG_MULTI_SZ
Data: 10.10.10.1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters
Name: DhcpNameServer
Type: REG_SZ
Data: 10.10.10.1 93.188.161.105 93.188.166.105

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{8A866960-87CE-40B9-AD94-B308EF0BC62F}
Name: DhcpNameServer
Type: REG_SZ
Data: 10.10.10.1 93.188.161.105 93.188.166.105


Report •

#5
December 15, 2010 at 06:54:34

I am thinking that there is a root kit involved, I would suggest using r kill from here

http://www.bleepingcomputer.com/for...

make sure that you read the info there before using.

secondly, I would advise running malwarebytes again in safe mode after this process.

let me know what comes up, sorry to be so slow in replying.

mike


Report •

#6
December 15, 2010 at 17:39:36

I'm not fast with replying either so that is alright.

I ran rkill but it doesn't list anything. Is it suppose to do that?
Trojan.DNSserver still comes back.


Report •


Ask Question