Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan.DNS_Changer?


  • Please log in to reply

#1
rajeev09

rajeev09

    New Member

  • Member
  • Pip
  • 3 posts
ok. so about a month ago i had the google redirect virus but successfully removed it. now i have my yahoo searches and google searches redirecting. when i try to run hijackthis or malywarebytes anti malware nothing happens. the best i've done is run spyware doctor and one of the errors it found was trojan.dns_changer. please help as to how i can get rid of it. as of now i'm not sure how to post a hijackthis log since it won't open whenever i click it. Should I run an online scanner and post the report here? please help, anyone. my computer is starting to freeze a lot now.

Edited by rajeev09, 02 June 2009 - 06:42 PM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP
To bypass a DNS Changer do the following:

1. Click "Start," click "Control Panel," click "Network and Internet Connections," and then click "Network Connections."
2. Right-click the network connection that you want to configure (the one you use to connect to the Internet), and then click Properties.
3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click "Internet Protocol (TCP/IP)", and then click "Properties."

4. Click "Use the following DNS server addresses," and then type 199.166.28.10 in the Preferred DNS server and 4.2.2.1 in the Alternate DNS server boxes.

5. Click "OK"

Reboot. Verify that the changes worked:

Click "Start," Click "Run," type: cmd , OK to bring up a black command window. Type with an Enter after each line

ipconfig /all

(There will be an entry for DNS Server. Verify that it has the 199.168.28.10 and 4.2.2.1 addresses.)

exit.

Sometimes you can get Hijackthis to work by changing its name.

Now if you have XP, see if you can get Ice Sword to download and run:

Download ice sword from:

http://majorgeeks.co...word_d5199.html
using one of the links under DOWNLOADS.

SAVE it to your desktop, close all programs and then Rightclick on it and select Extract All. Let it extract to your desktop. It should create a folder icesword122en on your desktop. Doubleclick on the folder icesword122en to open it and then doubleclick on icesword.exe.

It should open a new window. In the left column at the bottom click on File. Then on the "+" in front of Local Drive C: then on the "+" in front of Windows. Click on on the "+" in front of System32. You will have to scroll down to find it. Click on Drivers.

Look in the right pane and if you see any which are named:
clbdriver.sys, tdsserv.sys or seneka.sys. Right click on them and Force Delete.

Also Force Delete any which start with TDS or UAC or ovfst.

If you don't find any of the above then click once or twice on the column header which says Date Modified and then write down the names of the 10 newest files. Repeat for System32.

Now look in the left column where it says Functions and under Functions find SSDT and click on it. Look in the right hand pane for lines in red. Usually there will be more than one line referencing the same file path so don't bother copying every line. Just give me the file path once.

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Reboot now, please :!:



Post Back (copy/paste the .txt files, do not use attachments)
After following the above, post back with:



1. Name of files you Force Deleted or ten newest files in Drivers and Sytem32

2. Contents of C:\Combofix.txt;




Ron
PS If you can't get to the download sites, have a friend download the files and put them on a CD. Don't use a USB drive unless it's never been on your PC and you can leave it in until we finish. Copy the tools to your desktop and then proceed as above.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP