Remove-Malware.com Forums

[FieryDemon]

Download The Avenger

Open it and under the 'Input Script' area, paste the following

Code: Select all




Then press execute. Post the log afterwards.

Delete your copy of combofix and grab a fresh copy here.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

[brendo88]

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Tue Apr 13 09:18:53 2010

09:18:27: Error: Could not execute registry backup. (error 5: access is denied.)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open driver "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer"
Disablement of driver "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce9c5414-e4ad-4f26-8158-7e177b946699}\DhcpNameServer"
Disablement of driver "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce9c5414-e4ad-4f26-8158-7e177b946699}\DhcpNameServer" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer" not found!
Deletion of driver "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce9c5414-e4ad-4f26-8158-7e177b946699}\DhcpNameServer" not found!
Deletion of driver "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce9c5414-e4ad-4f26-8158-7e177b946699}\DhcpNameServer" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

[FieryDemon]

Try this instead.

Code: Select all

Registry keys to delete::
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce9c5414-e4ad-4f26-8158-7e177b946699}\DhcpNameServer

[brendo88]

I did a second time with The Avenger and it gave me an invalid script message.

[FieryDemon]

ok...lets try RegAssassin.

http://www.malwarebytes.org/regassassin.php

Then copy the two registry keys ONE at a time and try deleting them.

[brendo88]

It still won't go away.

[Dieselman]

Well whatever is on your pc is also on your fathers. Try disconnecting from the internet and doing as suggested.

[FieryDemon]

Ok I think I know what you are dealing with now. Follow the steps as directed. Don't miss anything.

1. Turn off system restore

Steps to turn off System Restore for BOTH

1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:

2. Disconnect from your router

Disconnect BOTH your and your dad's computer from the router(If there are more computers connected, disconnect them all). Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10-15 seconds).

3. Run a FULL scan with MBAM on BOTH computers.

Remove the DNS.Trojan infections again and reboot both computers.

4. Connecting

Make sure you have reset your router back to FACTORY default settings. Then connect both computers back to the router.

5. Final scan

Run a FULL scan with MBAM on both computers. Post the last log.

[brendo88]

Weird thing..I ran MBAM after I disconnected my internet and it didn't find the DNS changer and then I reconnected the internet and it did find it again. I will have to wait on the resetting the router. But I did run a scan on my dads computer with MBAM and it found the DNS changer and a rogue.installer. I removed the rogue installer.

BTW I live in UT and we just had a earthquake. I live a one hour drive north of Salt lake city.
good news no damage or anything. Some people felt it in Salt lake but was like 73 miles northeast of there.

[FieryDemon]

I'm glad you and your family is ok. Take your time to respond, no hurry.

Your infection is not on your computer but rather on your router. Thus, all the computers connected to your router is infected as the malware changes your DNS settings as soon as you connect your computer to your router. MBAM only removes the infections on your computer but not the malware on the router and it will keep restoring the registry entries back. As long as you don't reset your router to factory default settings, the trojan will modify and download malware on both computers.