Have you heard of the DNSChanger Trojan? Read a blog entry that it’s getting more common these days so I thought to put an entry here at sysadmindayph.. after all, it’s part of the day’s work.
What is a Trojan?
A Trojan is a program that enables an attacker to get nearly complete control over an infected PC. Frequently used tool by malicious hackers. When this program executes, the program performs a specific set of actions. This usually works toward the goal of allowing the trojan to survive on a system and open up a backdoor.
What is DNSChanger Trojan?
Trojan DNSChanger is name of group of trojans (zlob dns changer, Troj/Rustok-N, W32/Tidserv …) that hijacking your DNS settings and then redirecting you to malicious websites and stealing personal identities.
Like I said, DNSChanger trojan is not new, but according to the net-security, this new kind of DNSChanger trojan ‘now conducts brute-force attacks against the administration web interface of popular routers. The malware performs a “dictionary attack” based on a list of hardcoded credentials, consisting of the web interface URLs to popular routers – such as from vendors D-Link, Linksys and others -, and their default user names and passwords. This poses a great security risk for those users that do not change their router’s factory default settings. The Trojan tries one combination per approximately 100 milliseconds, which makes 600 combinations per minute.’
Trojan DNSChanger symptoms
- Windows Update redirects you to msn.com.
- Search results in Google, Yahoo, MSN and other redirect you to other non related sites.
- Google/Yahoo/MSN results redirects you via copy-book.com or another fake site.
- Google/Yahoo/MSN has become slower when doing searches.
- Facebook and youtube redirects to different sites.
How To Remove DNSCHanger Trojan
1. Disable and remove trojan drivers.
Skip the step, if TDSSserv.sys or TDSSxyz.sys where xyz are random characters , msqpdxserv.sys, seneka.sys drivers are not listed in the list of drivers.
- Right click the My computer icon. If you are using the non classic Start menu, then right click My computer icon on your Start button menu.
- Click Properties.
- Click Hardware Tab.
- Click Device Manager.
- In the top menu, click View and click Show Hidden Drivers.
- Scroll down to non Plug and Play drivers.
- Click + at left.
- In the list of drivers right click TDSSserv.sys or TDSSxyz.sys where xyz are random characters, msqpdxserv.sys, seneka or seneka.sys.
- Click Disable.
- Click YES for confirm.
- Close all windows and reboot your computer.
- Download Avenger from here and unzip to your desktop.
- Run Avenger, copy,then paste the following text in Input script Box:
Drivers to delete:
TDSSserv.sys
msqpdxserv.sys
seneka
seneka.sys
ndisprot.sysFiles to delete:
C:\Windows\system32\wdmaud.sys
C:\resycled\bootmatrix.comFolders to delete:
C:\resycledThen click on ‘Execute’.
- You will be asked Are you sure you want to execute the current script?. Click Yes.
- You will now be asked First step completed — The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes.
- Your PC will now be rebooted.
2. Remove DNSChanger trojan files, registry keys and any associated malware..
- Download Malwarebytes Anti-Malware (MBAM). The program designed to quickly detect, destroy and prevent malware, spyware, trojans.
- Once downloaded, close all programs and Windows on your computer (including this one).
- Double-click on the icon named mbam-setup.exe to install the application.
- When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select “Perform Quick Scan”, then click Scan.
- MBAM will now start scanning your computer for malware. This process may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- MBAM will now delete all of the files and registry keys and add them to the quarantine.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
3. Repair your Internet settings (Set option “Obtain DNS servers automatically”).
Skip the step, if computer works fine.
- Go to Start -> Control Panel ->Network Connections.
- Right click your default connection, usually Local Area Connection or Dial-up Connection, if you are using Dial-up, and left click on Properties.
- Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice.
- Go to Start -> Run, enter CMD and click OK.
- At the Dos Prompt Screen, type in cd\ and then press ENTER.
- Now type in ipconfig /flushdns and then press ENTER. (notice the space after ipconfig)
- Close the command prompt window.
- Reboot your PC and try to open any website.
4. Clear DNSChanger infected machines using your router and reset router/modem settings.
Use the step if after reboot the trojan DNSChanger still there when you scan with Malwarebytes Anti-malware again.
- If you have a home network or other DNSChanger infected machines using the your router, you should clear them with the above steps.
- Now your should reset your router (trojan DNSChanger can change the router’s DNS settings). Click reset button on back side of the router.
- You may also need to consult with your Internet service provider to find out which DNS servers you should be using.
If you are still having problems with your computer after completing these instructions, then please follow these instructions