Can't remove Zlob.DNSChanger or Trogan.DNSChanger

[swright14]

I have a trogan that I can't get to stay removed. Spybot detects it as Zlob.DNSChanger, and Malwarebytes Anti-Malware detects it as Trogan.DNSChanger. Both say they remove it, but then it reappears again rather quickly. My Mozilla homepage gets redirected, and Internet Explorer gets redirected to MSN whenever I try to get to the Windows update site.

I've attached the logs from Malwarebytes Anti-Malware, SuperAntiSpyware and hijack this. Can you help me get rid of this thing?

 

[mflynn]

Hi swright14

OK do this:

Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
----------------------------------------------------------------------------------------------------------------------------------
ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

 

[swright14]

New logs

I ran SDFix and ComboFix, those logs and a new HJT log are attached.

 

[Tedster]

solution: http://www.symantec.com/security_response/writeup.jsp?docid=2007-061114-0840-99&tabid=3

 

[mflynn]

Hi Sw

Run HJT Scan only select and remove the below.

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: ISAM SMT Service (ISAMsmt) - Unknown owner - C:\Program Files\C4ebreg\isamsmt.exe (file missing)

Run SAS click Preferences-Repairs counting from top as #1 do the following entries and reboot.

5-7-9-10-11-13-14-15-18 -19-21-22

On Reboot run another Combofix to confirm last log and attach new log.

Then Update Norton and scan once more.

Mike

 

[swright14]

New logs

I did the cleanup using HJT, did the repairs using SAS, reran ComboFix, and updated and performed a scan with Symantec. Symantec did not find anything. My homepage still gets redirected using Mozilla, and I still get redirected to MSN when I try to go to the microsoft update site.

The new logs from combofix and hjt are attached.

Is it possible to get rid of this thing? I actually have it on 5 computers at home, and have been fighting to get rid of it for 5 days now.

 

[mflynn]

Hi SW

Do the below

COMBOFIX-Script
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Code:

File::c:\windows\x
Folder::
c:\windows\system32\(null)

Then drag this script and drop on top of ComboFix.

ComboFix will now run a scan on your system.

It may reboot your system when it finishes. This is normal.

When finished, it will create a log. Attach the log back to us.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Run HJT Scan only select and remove the below
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://w3.ibm.com/download/standardsoftware/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dc1.textron.com:8080
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com

Reboot new ComboFix log.

Then

Clean and update Java
Cleanup old Java and update to newest version this program will do it all for you.

Download JavaRa http://prm753.bchea.org/JavaRa.html

Unzip it, run it, to update chose Jucheck (Suns updater) first, and if you do not have Jucheck then chose Update using Sun.

After update chose Cleanup old versions. Give it a minute and after it pops up the log file you will see what it removed.

Then click "Additional tasks" and check "remove Useless JRE files and Remove JavaRa log files.

After that run Search for Updates again to confirm you are up to date.
After that run remove older versions again. This time the Log file should be empty.


Mike

 

[swright14]

New combofix log

I cannot download JavaRa, the download never starts. A new combofix log is attached.

 

[mflynn]

See if it will install from online http://javadl.sun.com/webapps/download/AutoDL?BundleId=26691

If not download full installer/setup and execute from HD http://javadl.sun.com/webapps/download/AutoDL?BundleId=26223

Then run JavaRa to cleanup older and useless JRE files.

Mike

 

[swright14]

updated java

I did get java updated, and got JavaRa to download and run. It won't update, it opens a blank window, but the last time I ran it, it didn't find anything to remove.

What next?

 

[mflynn]

OK did you have to reset your Home page and do we still have the same redirection issues?

Mike

 

[swright14]

home page and redirection

My home page gets redirected with Mozilla, but not with IE. I still get redirected trying to get to the windows update site, and Malwarebytes AntiMalware still keeps find the trojan. It will remove it, I run it again and it will run clean, then the trojan reappears as soon as I go online.

 

[mflynn]

Send me the last log with found Trojan!

Drag mouse with left button down across all text in the box below, then pastee to an open CMD prompt and hit enter, ignore any errors for now.

@echo off
ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.out
;Saves ip settings
netsh interface ip delete arpcache
ipconfig /flushdns
ipconfig /release *
ipconfig /renew *
ipconfig /registerdns
nbtstat -RR
netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt
;saves log of current settings
netsh winsock reset catalog
;resets Winsock
netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt
;winsock after rest
netsh int ip reset >"%USERPROFILE%"\Desktop\tcpreset.txt
;reset TCP stack
exit
exit

Reboot see new icons on desktop, attach contents of back to thread.

Mike

 

[swright14]

new files attached

The log from Malwarebytes AntiMalware is attached, as well as the other logs.

FYI - since running all these jobs to try to clean the system, now when I reboot, I need to disable and re-enable my lan adapter before I can access any internet sites. What could have caused that?

 

[MarriedMan46]

I had dnschanger trojan and just got rid of it today. It had installed itself on my linksys router, so anytime I removed it using MalwareBytes, it got reinstalled via wireless router. The simple fix was to reset the router with the reset button after removing it from the computer with the above software. This will mean you have to set up a connection again, but it works! thumbup.gif

I have AMD 6000+ X2, Vista 64 Ultimate, Biostar MB, 6gb installed, 250 gb hd and 80gb hd, linksys wireless router and Motorola cable modem on comcast.

All else failed to remove it completely until I did this. Also the trojan has been reworked, so the original files that you would look for aren't there. I found it with the registry entries. There are no TDSS files, etc.

 

[B00kWyrm]

As BlindDragon has already posted in another thread, in reply to this "answer"...

Thanks for sharing, ...
The procedure you describe may fix symptoms however I encourage anybody with this problem to run through the 8 steps and post the logs as there may be more to it.

Regards,

BD