TechSpot

Can't remove Zlob.DNSChanger or Trogan.DNSChanger

By swright14
Dec 24, 2008
  1. I have a trogan that I can't get to stay removed. Spybot detects it as Zlob.DNSChanger, and Malwarebytes Anti-Malware detects it as Trogan.DNSChanger. Both say they remove it, but then it reappears again rather quickly. My Mozilla homepage gets redirected, and Internet Explorer gets redirected to MSN whenever I try to get to the Windows update site.

    I've attached the logs from Malwarebytes Anti-Malware, SuperAntiSpyware and hijack this. Can you help me get rid of this thing?
     
  2. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi swright14

    OK do this:

    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.
    ----------------------------------------------------------------------------------------------------------------------------------
    ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
     
  3. swright14

    swright14 TS Rookie Topic Starter

    New logs

    I ran SDFix and ComboFix, those logs and a new HJT log are attached.
     
  4. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

  5. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi Sw

    Run HJT Scan only select and remove the below.

    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
    O23 - Service: ISAM SMT Service (ISAMsmt) - Unknown owner - C:\Program Files\C4ebreg\isamsmt.exe (file missing)

    Run SAS click Preferences-Repairs counting from top as #1 do the following entries and reboot.

    5-7-9-10-11-13-14-15-18 -19-21-22

    On Reboot run another Combofix to confirm last log and attach new log.

    Then Update Norton and scan once more.

    Mike
     
  6. swright14

    swright14 TS Rookie Topic Starter

    New logs

    I did the cleanup using HJT, did the repairs using SAS, reran ComboFix, and updated and performed a scan with Symantec. Symantec did not find anything. My homepage still gets redirected using Mozilla, and I still get redirected to MSN when I try to go to the microsoft update site.

    The new logs from combofix and hjt are attached.

    Is it possible to get rid of this thing? I actually have it on 5 computers at home, and have been fighting to get rid of it for 5 days now.
     
  7. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi SW

    Do the below

    COMBOFIX-Script
    Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    Code:
    Code:
    File::c:\windows\x
    Folder::
    c:\windows\system32\(null)
    Then drag this script and drop on top of ComboFix.

    ComboFix will now run a scan on your system.

    It may reboot your system when it finishes. This is normal.

    When finished, it will create a log. Attach the log back to us.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Run HJT Scan only select and remove the below
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://w3.ibm.com/download/standardsoftware/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dc1.textron.com:8080
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com

    Reboot new ComboFix log.

    Then

    Clean and update Java
    Cleanup old Java and update to newest version this program will do it all for you.

    Download JavaRa http://prm753.bchea.org/JavaRa.html

    Unzip it, run it, to update chose Jucheck (Suns updater) first, and if you do not have Jucheck then chose Update using Sun.

    After update chose Cleanup old versions. Give it a minute and after it pops up the log file you will see what it removed.

    Then click "Additional tasks" and check "remove Useless JRE files and Remove JavaRa log files.

    After that run Search for Updates again to confirm you are up to date.
    After that run remove older versions again. This time the Log file should be empty.


    Mike
     
  8. swright14

    swright14 TS Rookie Topic Starter

    New combofix log

    I cannot download JavaRa, the download never starts. A new combofix log is attached.
     
  9. mflynn

    mflynn TS Rookie Posts: 2,793

  10. swright14

    swright14 TS Rookie Topic Starter

    updated java

    I did get java updated, and got JavaRa to download and run. It won't update, it opens a blank window, but the last time I ran it, it didn't find anything to remove.

    What next?
     
  11. mflynn

    mflynn TS Rookie Posts: 2,793

    OK did you have to reset your Home page and do we still have the same redirection issues?

    Mike
     
     
  12. swright14

    swright14 TS Rookie Topic Starter

    home page and redirection

    My home page gets redirected with Mozilla, but not with IE. I still get redirected trying to get to the windows update site, and Malwarebytes AntiMalware still keeps find the trojan. It will remove it, I run it again and it will run clean, then the trojan reappears as soon as I go online.
     
  13. mflynn

    mflynn TS Rookie Posts: 2,793

    Send me the last log with found Trojan!

    Drag mouse with left button down across all text in the box below, then pastee to an open CMD prompt and hit enter, ignore any errors for now.
    Code:
    @echo off
    ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.out
    ;Saves ip settings
    netsh interface ip delete arpcache
    ipconfig /flushdns
    ipconfig /release *
    ipconfig /renew *
    ipconfig /registerdns
    nbtstat -RR
    netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt
    ;saves log of current settings
    netsh winsock reset catalog
    ;resets Winsock
    netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt
    ;winsock after rest
    netsh int ip reset >"%USERPROFILE%"\Desktop\tcpreset.txt
    ;reset TCP stack
    exit
    exit
    Reboot see new icons on desktop, attach contents of back to thread.

    Mike
     
  14. swright14

    swright14 TS Rookie Topic Starter

    new files attached

    The log from Malwarebytes AntiMalware is attached, as well as the other logs.

    FYI - since running all these jobs to try to clean the system, now when I reboot, I need to disable and re-enable my lan adapter before I can access any internet sites. What could have caused that?
     
  15. MarriedMan46

    MarriedMan46 TS Rookie

    I had dnschanger trojan and just got rid of it today. It had installed itself on my linksys router, so anytime I removed it using MalwareBytes, it got reinstalled via wireless router. The simple fix was to reset the router with the reset button after removing it from the computer with the above software. This will mean you have to set up a connection again, but it works! thumbup.gif

    I have AMD 6000+ X2, Vista 64 Ultimate, Biostar MB, 6gb installed, 250 gb hd and 80gb hd, linksys wireless router and Motorola cable modem on comcast.

    All else failed to remove it completely until I did this. Also the trojan has been reworked, so the original files that you would look for aren't there. I found it with the registry entries. There are no TDSS files, etc.
     
  16. B00kWyrm

    B00kWyrm TechSpot Paladin Posts: 1,554   +18

    As BlindDragon has already posted in another thread, in reply to this "answer"...

     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.