dnsChange virus

[Øyvind Granberg]

Hi...

As a continuance of the thread "Do I have a virus?"

Well it's back. The Trojan.DNSChanger virus has really never left the
building.
I have downloaded and paid for software called Malwarebytes and it finds six
instances of this virus.
I choose to remove them, and the software wants to restart my computer.
After reboot, a rerun of Malwarebytes shows that my system is clean.
Then IE8 is started. All of a sudden I cannot connect to any website, not
even google
A new run of Malwarebytes reveals yet another six instances of the same
virus.

A checkup on all other computers in the household tells a tale of a massive
outburst.

I've got my ISP to reset the ADSL router, much against his beliefs, but no
fix.

I am running, amongst others, a self built Windows Vista Ultimate based pc,
with all updates, and all security measures running.
AVG 8
Windows Defender
A weekly run of Spybot and Adaware
I reckon if I can clean this computer I can easily fix the others.

What am I doing wrong here?
Is this Malwarebyte a hoax?


--

Vennlig hilsen
Øyvind Granberg

tresfjording@live.no
www.tresfjording.com

 

[FromTheRafters]

"Øyvind Granberg" wrote in message
news:2AA77F27-57A5-4CB9-AD8B-4769F1049533@microsoft.com...
> Hi...
>
> As a continuance of the thread "Do I have a virus?"
>
> Well it's back. The Trojan.DNSChanger virus has really never left the
> building.
> I have downloaded and paid for software called Malwarebytes and it finds
> six instances of this virus.
> I choose to remove them, and the software wants to restart my computer.
> After reboot, a rerun of Malwarebytes shows that my system is clean.
> Then IE8 is started. All of a sudden I cannot connect to any website, not
> even google
> A new run of Malwarebytes reveals yet another six instances of the same
> virus.
>
> A checkup on all other computers in the household tells a tale of a
> massive outburst.
>
> I've got my ISP to reset the ADSL router, much against his beliefs, but no
> fix.
>
> I am running, amongst others, a self built Windows Vista Ultimate based
> pc, with all updates, and all security measures running.

Are you running as admin and do you have UAC disabled?
(but aside from that "all security measures running")

> AVG 8
> Windows Defender
> A weekly run of Spybot and Adaware
> I reckon if I can clean this computer I can easily fix the others.
>
> What am I doing wrong here?

You want a list?

> Is this Malwarebyte a hoax?

No, it is a good application.

This malware is extremely sticky - check for rootkit activity.

 

[Kayman]

On Thu, 13 Nov 2008 14:58:22 +0100, Øyvind Granberg wrote:

> Hi...
>
> As a continuance of the thread "Do I have a virus?"
>
> Well it's back. The Trojan.DNSChanger virus has really never left the
> building.
> I have downloaded and paid for software called Malwarebytes and it finds six
> instances of this virus.
> I choose to remove them, and the software wants to restart my computer.
> After reboot, a rerun of Malwarebytes shows that my system is clean.
> Then IE8 is started. All of a sudden I cannot connect to any website, not
> even google
> A new run of Malwarebytes reveals yet another six instances of the same
> virus.
>
> A checkup on all other computers in the household tells a tale of a massive
> outburst.
>
> I've got my ISP to reset the ADSL router, much against his beliefs, but no
> fix.
>
> I am running, amongst others, a self built Windows Vista Ultimate based pc,
> with all updates, and all security measures running.
> AVG 8
> Windows Defender
> A weekly run of Spybot and Adaware
> I reckon if I can clean this computer I can easily fix the others.
>
> What am I doing wrong here?
> Is this Malwarebyte a hoax?

Malwarebytes' Anti-Malware is a good-quality bona fide application.
After the software is updated try scanning in safe mode.
How do you boot to Safe Mode?
By pressing/tabbing F8 (or F5 on some keyboards) during re-boot.
A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/default.aspx?scid=315222
Start your computer in safe mode (Vista)
http://windowshelp.microsoft.com/Windows/e...c904a11033.mspx
http://www.bleepingcomputer.com/tutorials/tutorial61.html
Alternatively:
click onto Start==>Run, type "msconfig" (without quotation marks), click
OK. Then click onto BOOT.INI tab and 'check' /SAFEBOOT then OK and click
Restart. To go back to Normal Mode, you must access the System
Configuration utility again and click the General tab then click/check the
radio button 'Normal Startup'- load all device drivers and services'.

Not successful?

Download/execute:
David H. Lipman's MULTI_AV Tool
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
http://www.pctipp.ch/downloads/dl/35905.asp
English:
http://www.raymond.cc/blog/archives/2008/0...virus-for-free/
Additional Instructions:
http://pcdid.com/Multi_AV.htm
and/or
Kaspersky's AVPTool
http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/
--or--
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
--or--
http://ftp.kaspersky.com/devbuilds/AVPTool/
There's no updating involved since the scanning engine is updated several
times a day and you simply download the updated scanner whenever you want
to do a scan. Uninstall after use. To uninstall/move this program "enable
self-defense' must be unchecked!
--and/or--
Dr.Web CureIt!® Utility - FREE
http://www.freedrweb.com/cureit/
--and--
SuperAntispyware - Free
http://www.superantispyware.com/superantis...efreevspro.html

Scan in normal and safe mode.

Then download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/to...ools/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html
Hundreds Click on 'Click Here to Get Infected' Ad
http://www.eweek.com/article2/0,1895,2132447,00.asp

Good luck

 

[FromTheRafters]

"FromTheRafters" wrote in message
news:ent6X%23ZRJHA.1028@TK2MSFTNGP05.phx.gbl...
>
> "Øyvind Granberg" wrote in message
> news:2AA77F27-57A5-4CB9-AD8B-4769F1049533@microsoft.com...
>> Hi...
>>
>> As a continuance of the thread "Do I have a virus?"
>>
>> Well it's back. The Trojan.DNSChanger virus has really never left the
>> building.
>> I have downloaded and paid for software called Malwarebytes and it finds
>> six instances of this virus.
>> I choose to remove them, and the software wants to restart my computer.
>> After reboot, a rerun of Malwarebytes shows that my system is clean.
>> Then IE8 is started. All of a sudden I cannot connect to any website, not
>> even google
>> A new run of Malwarebytes reveals yet another six instances of the same
>> virus.
>>
>> A checkup on all other computers in the household tells a tale of a
>> massive outburst.
>>
>> I've got my ISP to reset the ADSL router, much against his beliefs, but
>> no fix.
>>
>> I am running, amongst others, a self built Windows Vista Ultimate based
>> pc, with all updates, and all security measures running.
>
> Are you running as admin and do you have UAC disabled?
> (but aside from that "all security measures running")
>
>> AVG 8
>> Windows Defender
>> A weekly run of Spybot and Adaware
>> I reckon if I can clean this computer I can easily fix the others.
>>
>> What am I doing wrong here?
>
> You want a list?
>
>> Is this Malwarebyte a hoax?
>
> No, it is a good application.
>
> This malware is extremely sticky - check for rootkit activity.

....before you ask

http://searchenterprisedesktop.techtarget....1086476,00.html

 

[~BD~]

I'm saddened to learn that you have a continuing problem, OG.

You said "Then IE8 is started"

IE8 is in Beta - advice I've had says that you must expect problems if you
use an 'un-finished' product. I suggest you uninstall IE8 and try to revert
to IE7.

I've enjoyed browsing your web site btw!

Just to rub salt into the wound, you didn't need to pay anything to download
and use Malwarebytes on a one-off basis (i.e. not continuous protection).

If you have a rootkit, rather than try to find and kill it, I'm sure it will
be much quicker for you to 'Flatten and Rebuild'. If you have access to the
Internet, you may 'enjoy' reading through a thread I started earlier this
year, still available on Google, here:-

http://groups.google.co.uk/group/microsoft...e5f99b403a1e451

My subsequent discussions now lead me to believe that one needs to clear the
CMOS and probably flash the BIOS too if one wants to be sure of a clean
machine.

Good luck!

Dave

--


"Øyvind Granberg" wrote in message
news:2AA77F27-57A5-4CB9-AD8B-4769F1049533@microsoft.com...
> Hi...
>
> As a continuance of the thread "Do I have a virus?"
>
> Well it's back. The Trojan.DNSChanger virus has really never left the
> building.
> I have downloaded and paid for software called Malwarebytes and it finds
> six instances of this virus.
> I choose to remove them, and the software wants to restart my computer.
> After reboot, a rerun of Malwarebytes shows that my system is clean.
> Then IE8 is started. All of a sudden I cannot connect to any website, not
> even google
> A new run of Malwarebytes reveals yet another six instances of the same
> virus.
>
> A checkup on all other computers in the household tells a tale of a
> massive outburst.
>
> I've got my ISP to reset the ADSL router, much against his beliefs, but no
> fix.
>
> I am running, amongst others, a self built Windows Vista Ultimate based
> pc, with all updates, and all security measures running.
> AVG 8
> Windows Defender
> A weekly run of Spybot and Adaware
> I reckon if I can clean this computer I can easily fix the others.
>
> What am I doing wrong here?
> Is this Malwarebyte a hoax?
>
>
> --
>
> Vennlig hilsen
> Øyvind Granberg
>
> tresfjording@live.no
> www.tresfjording.com

 

[David H. Lipman]

From: "Øyvind Granberg"

| Hi...

| As a continuance of the thread "Do I have a virus?"

| Well it's back. The Trojan.DNSChanger virus has really never left the
| building.
| I have downloaded and paid for software called Malwarebytes and it finds six
| instances of this virus.
| I choose to remove them, and the software wants to restart my computer.
| After reboot, a rerun of Malwarebytes shows that my system is clean.
| Then IE8 is started. All of a sudden I cannot connect to any website, not
| even google
| A new run of Malwarebytes reveals yet another six instances of the same
| virus.

| A checkup on all other computers in the household tells a tale of a massive
| outburst.

| I've got my ISP to reset the ADSL router, much against his beliefs, but no
| fix.

| I am running, amongst others, a self built Windows Vista Ultimate based pc,
| with all updates, and all security measures running.
| AVG 8
| Windows Defender
| A weekly run of Spybot and Adaware
| I reckon if I can clean this computer I can easily fix the others.

| What am I doing wrong here?
| Is this Malwarebyte a hoax?

First, the DNSChanger is NOT a virus. It is a Trojan and a close relative of the Zlob.
Second, the new breed of the DNSChanger will inded alter the DNS settings of SOHO Routers.
One *must* change the default password to a strong password.

What I have seen, in the sample I recently tested, is that the DNSChanger injects a DLL
into the Spooler service. The Spooler Service is then restarted and will communicate with
a SOHO Router with a weak password or the default password and it will then alter the SOHO
Router as such affecting your ability to access web sites.

Several days ago I suggested that you post in an Expert Forum.

You apparently failed to do so and thats why you are STILL having problems.

Again I state... This is NOT a virus.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[David H. Lipman]

From: "~BD~"



| My subsequent discussions now lead me to believe that one needs to clear the
| CMOS and probably flash the BIOS too if one wants to be sure of a clean
| machine.

| Good luck!

| Dave

/* Absolutely NOT needed. */

Please stay out of this dicussion. You don't understand the problem nor the trojan's
activity nor understand the workings of the hardware's interaction with the OS concerning
the BIOS and CMOS.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Øyvind Granberg]

>
> You want a list?
You sound like my wife

>
>> Is this Malwarebyte a hoax?
Why I'm asking this is because it don't seem to woirk right. It finds the
trojan, baut the registry entries remains after the fix.

>
> No, it is a good application.
>
> This malware is extremely sticky - check for rootkit activity.
I downloaded RootkitRevealer, but it coudn't find anything.



-- Øyvind G. --

 

[Øyvind Granberg]

> Download/execute:
> David H. Lipman's MULTI_AV Tool
> http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
> http://www.pctipp.ch/downloads/dl/35905.asp
> English:
> http://www.raymond.cc/blog/archives/2008/0...virus-for-free/
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
> and/or
> Kaspersky's AVPTool
> http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/
> --or--
> http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
> --or--
> http://ftp.kaspersky.com/devbuilds/AVPTool/
> There's no updating involved since the scanning engine is updated several
> times a day and you simply download the updated scanner whenever you want
> to do a scan. Uninstall after use. To uninstall/move this program "enable
> self-defense' must be unchecked!
> --and/or--
> Dr.Web CureIt!® Utility - FREE
> http://www.freedrweb.com/cureit/
> --and--
> SuperAntispyware - Free
> http://www.superantispyware.com/superantis...efreevspro.html
>

First of all, why should I install Kapersky or Sophos or McAfee or what ever
when I do have AVG 8 installed?

Secondly, paying ?20-50 for every malware remover on the net i not my way of
spending a thursday night.

But I am working my way through your list...

--øg--

 

[Kayman]

On Thu, 13 Nov 2008 21:57:25 +0700, Kayman wrote:

> On Thu, 13 Nov 2008 14:58:22 +0100, Øyvind Granberg wrote:
>
>> Hi...
>>
>> As a continuance of the thread "Do I have a virus?"
>>
>> Well it's back. The Trojan.DNSChanger virus has really never left the
>> building.
>> I have downloaded and paid for software called Malwarebytes and it finds six
>> instances of this virus.
>> I choose to remove them, and the software wants to restart my computer.
>> After reboot, a rerun of Malwarebytes shows that my system is clean.
>> Then IE8 is started. All of a sudden I cannot connect to any website, not
>> even google
>> A new run of Malwarebytes reveals yet another six instances of the same
>> virus.
>>
>> A checkup on all other computers in the household tells a tale of a massive
>> outburst.
>>
>> I've got my ISP to reset the ADSL router, much against his beliefs, but no
>> fix.
>>
>> I am running, amongst others, a self built Windows Vista Ultimate based pc,
>> with all updates, and all security measures running.
>> AVG 8
>> Windows Defender
>> A weekly run of Spybot and Adaware
>> I reckon if I can clean this computer I can easily fix the others.
>>
>> What am I doing wrong here?
>> Is this Malwarebyte a hoax?
>
> Malwarebytes' Anti-Malware is a good-quality bona fide application.
> After the software is updated try scanning in safe mode.
> How do you boot to Safe Mode?
> By pressing/tabbing F8 (or F5 on some keyboards) during re-boot.
> A description of the Safe Mode Boot options in Windows XP
> http://support.microsoft.com/default.aspx?scid=315222
> Start your computer in safe mode (Vista)
> http://windowshelp.microsoft.com/Windows/e...c904a11033.mspx
> http://www.bleepingcomputer.com/tutorials/tutorial61.html
> Alternatively:
> click onto Start==>Run, type "msconfig" (without quotation marks), click
> OK. Then click onto BOOT.INI tab and 'check' /SAFEBOOT then OK and click
> Restart. To go back to Normal Mode, you must access the System
> Configuration utility again and click the General tab then click/check the
> radio button 'Normal Startup'- load all device drivers and services'.
>
> Not successful?
>
> Download/execute:
> David H. Lipman's MULTI_AV Tool
> http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
> http://www.pctipp.ch/downloads/dl/35905.asp
> English:
> http://www.raymond.cc/blog/archives/2008/0...virus-for-free/
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
> and/or
> Kaspersky's AVPTool
> http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/
> --or--
> http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
> --or--
> http://ftp.kaspersky.com/devbuilds/AVPTool/
> There's no updating involved since the scanning engine is updated several
> times a day and you simply download the updated scanner whenever you want
> to do a scan. Uninstall after use. To uninstall/move this program "enable
> self-defense' must be unchecked!
> --and/or--
> Dr.Web CureIt!® Utility - FREE
> http://www.freedrweb.com/cureit/
> --and--
> SuperAntispyware - Free
> http://www.superantispyware.com/superantis...efreevspro.html
>
> Scan in normal and safe mode.
>
> Then download and execute HiJack This! (HJT)
> http://www.trendsecure.com/portal/en-US/to...ools/hijackthis
>
> Please, do not post HJT logs to this newsgroup.
> Fora where you can get expert advice for HiJack This! (HJT) logs.
>
> http://www.thespykiller.co.uk/index.php?board=3.0
> http://www.spywarewarrior.com/viewforum.php?f=5
> http://forums.tomcoyote.org/index.php?showforum=27
> http://www.bleepingcomputer.com/forums/forum22.html
> http://www.malwarebytes.org/forums/index.php?showforum=7
> http://www.5starsupport.com/ipboard/index.php?showforum=18
> http://www.theeldergeek.com/forum/index.php?showforum=29
>
> NOTE:
> Registration is required in any of the above mentioned fora before posting
> a HJT log and read the 'stickies' (instructions/guidelines) for the
> respective HJT forum.
>
> Routinely practice Safe-Hex.
> http://www.claymania.com/safe-hex.html
> Hundreds Click on 'Click Here to Get Infected' Ad
> http://www.eweek.com/article2/0,1895,2132447,00.asp
>
> Good luck

Implement Countermeasures against DNSChanger.
http://extremesecurity.blogspot.com/2008/0...t-hijacked.html

 

[The Real Truth MVP]

Use my Remove-it software, it will remove that malware from your system.
Choose yes for all options when prompted. Download it here
http://pcbutts1.com/downloads/tools/tools.htm Use the email link on that
page to send me a copy of the MBAM log.


--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/




"Øyvind Granberg" wrote in message
news:F72C4954-B32D-45A4-986E-6E5DC858E76F@microsoft.com...
>
>> Download/execute:
>> David H. Lipman's MULTI_AV Tool
>> http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
>> http://www.pctipp.ch/downloads/dl/35905.asp
>> English:
>> http://www.raymond.cc/blog/archives/2008/0...virus-for-free/
>> Additional Instructions:
>> http://pcdid.com/Multi_AV.htm
>> and/or
>> Kaspersky's AVPTool
>> http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/
>> --or--
>> http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
>> --or--
>> http://ftp.kaspersky.com/devbuilds/AVPTool/
>> There's no updating involved since the scanning engine is updated several
>> times a day and you simply download the updated scanner whenever you want
>> to do a scan. Uninstall after use. To uninstall/move this program "enable
>> self-defense' must be unchecked!
>> --and/or--
>> Dr.Web CureIt!® Utility - FREE
>> http://www.freedrweb.com/cureit/
>> --and--
>> SuperAntispyware - Free
>> http://www.superantispyware.com/superantis...efreevspro.html
>>
>
> First of all, why should I install Kapersky or Sophos or McAfee or what
> ever when I do have AVG 8 installed?
>
> Secondly, paying ?20-50 for every malware remover on the net i not my way
> of spending a thursday night.
>
> But I am working my way through your list...
>
> --øg--

 

[Øyvind Granberg]

Thank you ~BD~ for those kind words. Glad you liked my website

I will reset the CMOS and BIOS at next reboot.

I am opposed to reinstalling the OS. That is a solution I turnde to i the
past.
I reformatted my first computer back in the late eighties. I thought it was
THE solution in the nineties.
This decade the procedure makes me physically sick... hehe...

But after cleaning the registry, deleting files (autorun.inf) and folders
(\resycled) the regitry keys rebuilt themselves.
Somewhere there has to be a file that is run at startup, or when I start IE.
I will now revert to IE7 and flush CMOS and reset BIOS during restart.

BRB


--

Vennlig hilsen
Øyvind Granberg

tresfjording@live.no
www.tresfjording.com

"~BD~" skrev i nyhetsmeldingen:
uTso#4bRJHA.4008@TK2MSFTNGP02.phx.gbl ...
> I'm saddened to learn that you have a continuing problem, OG.
>
> You said "Then IE8 is started"
>
> IE8 is in Beta - advice I've had says that you must expect problems if you
> use an 'un-finished' product. I suggest you uninstall IE8 and try to
> revert to IE7.
>
> I've enjoyed browsing your web site btw!

>
> Just to rub salt into the wound, you didn't need to pay anything to
> download and use Malwarebytes on a one-off basis (i.e. not continuous
> protection).
>
> If you have a rootkit, rather than try to find and kill it, I'm sure it
> will be much quicker for you to 'Flatten and Rebuild'. If you have access
> to the Internet, you may 'enjoy' reading through a thread I started
> earlier this year, still available on Google, here:-
>
> http://groups.google.co.uk/group/microsoft...e5f99b403a1e451
>
> My subsequent discussions now lead me to believe that one needs to clear
> the CMOS and probably flash the BIOS too if one wants to be sure of a
> clean machine.
>
> Good luck!
>
> Dave
>
> --
>
>
> "Øyvind Granberg" wrote in message
> news:2AA77F27-57A5-4CB9-AD8B-4769F1049533@microsoft.com...
>> Hi...
>>
>> As a continuance of the thread "Do I have a virus?"
>>
>> Well it's back. The Trojan.DNSChanger virus has really never left the
>> building.
>> I have downloaded and paid for software called Malwarebytes and it finds
>> six instances of this virus.
>> I choose to remove them, and the software wants to restart my computer.
>> After reboot, a rerun of Malwarebytes shows that my system is clean.
>> Then IE8 is started. All of a sudden I cannot connect to any website, not
>> even google
>> A new run of Malwarebytes reveals yet another six instances of the same
>> virus.
>>
>> A checkup on all other computers in the household tells a tale of a
>> massive outburst.
>>
>> I've got my ISP to reset the ADSL router, much against his beliefs, but
>> no fix.
>>
>> I am running, amongst others, a self built Windows Vista Ultimate based
>> pc, with all updates, and all security measures running.
>> AVG 8
>> Windows Defender
>> A weekly run of Spybot and Adaware
>> I reckon if I can clean this computer I can easily fix the others.
>>
>> What am I doing wrong here?
>> Is this Malwarebyte a hoax?
>>
>>
>> --
>>
>> Vennlig hilsen
>> Øyvind Granberg
>>
>> tresfjording@live.no
>> www.tresfjording.com
>
>

 

[Kayman]

On Fri, 14 Nov 2008 00:33:54 +0100, Øyvind Granberg wrote:

>> Download/execute:
>> David H. Lipman's MULTI_AV Tool
>> http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
>> http://www.pctipp.ch/downloads/dl/35905.asp
>> English:
>> http://www.raymond.cc/blog/archives/2008/0...virus-for-free/
>> Additional Instructions:
>> http://pcdid.com/Multi_AV.htm
>> and/or
>> Kaspersky's AVPTool
>> http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/
>> --or--
>> http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
>> --or--
>> http://ftp.kaspersky.com/devbuilds/AVPTool/
>> There's no updating involved since the scanning engine is updated several
>> times a day and you simply download the updated scanner whenever you want
>> to do a scan. Uninstall after use. To uninstall/move this program "enable
>> self-defense' must be unchecked!
>> --and/or--
>> Dr.Web CureIt!® Utility - FREE
>> http://www.freedrweb.com/cureit/
>> --and--
>> SuperAntispyware - Free
>> http://www.superantispyware.com/superantis...efreevspro.html
>>
>
> First of all, why should I install Kapersky or Sophos or McAfee or what ever
> when I do have AVG 8 installed?

Whenever I jump of an aircraft in mid-flight I *always* carry a second
parachute...

> Secondly, paying ?20-50 for every malware remover on the net i not my way of
> spending a thursday night.

None of the applications cost a dime; they are FREE! (Even Malwarebytes
comes in a free version).

> But I am working my way through your list...

Implement Countermeasures against DNSChanger.
http://extremesecurity.blogspot.com/2008/0...t-hijacked.html

 

[1PW]

On 11/13/2008 10:33 AM, ~BD~ sent:

Snip, snip...

>
> My subsequent discussions now lead me to believe that one needs to clear the
> CMOS and probably flash the BIOS too if one wants to be sure of a clean
> machine.
>
> Good luck!
>
> Dave
>

Hello Dave:

It is quite easy to take what we discussed, in the other thread, out of
context. Extreme measures are not indicated in many instances. Good
judgment, must be coupled with experience. Also, reburning the BIOS
does come with its own set of risks of failure. The motherboard is
clearly at risk. If the above malware is clearly hard disk drive
resident, the risk/benefit ratio of reburning the BIOS is clearly not on
the side of the system's tech/owner/user.

A proper assessment/diagnosis must precede the proper corrective
action.

--
1PW

@?6A62?FEH9E=6o2@=]4@> [r4o7t]

 

[Øyvind Granberg]

Your procedure involves hundres of MB's to download.
Aren't we here shooting sparrow with cannons?

--

Vennlig hilsen
Øyvind Granberg

tresfjording@live.no
www.tresfjording.com

"David H. Lipman" skrev i nyhetsmeldingen:
e0662gdRJHA.4608@TK2MSFTNGP03.phx.gbl ...
> From: "Øyvind Granberg"
>
> | Hi...
>
> | As a continuance of the thread "Do I have a virus?"
>
> | Well it's back. The Trojan.DNSChanger virus has really never left the
> | building.
> | I have downloaded and paid for software called Malwarebytes and it finds
> six
> | instances of this virus.
> | I choose to remove them, and the software wants to restart my computer.
> | After reboot, a rerun of Malwarebytes shows that my system is clean.
> | Then IE8 is started. All of a sudden I cannot connect to any website,
> not
> | even google
> | A new run of Malwarebytes reveals yet another six instances of the same
> | virus.
>
> | A checkup on all other computers in the household tells a tale of a
> massive
> | outburst.
>
> | I've got my ISP to reset the ADSL router, much against his beliefs, but
> no
> | fix.
>
> | I am running, amongst others, a self built Windows Vista Ultimate based
> pc,
> | with all updates, and all security measures running.
> | AVG 8
> | Windows Defender
> | A weekly run of Spybot and Adaware
> | I reckon if I can clean this computer I can easily fix the others.
>
> | What am I doing wrong here?
> | Is this Malwarebyte a hoax?
>
> First, the DNSChanger is NOT a virus. It is a Trojan and a close relative
> of the Zlob.
> Second, the new breed of the DNSChanger will inded alter the DNS settings
> of SOHO Routers.
> One *must* change the default password to a strong password.
>
> What I have seen, in the sample I recently tested, is that the DNSChanger
> injects a DLL
> into the Spooler service. The Spooler Service is then restarted and will
> communicate with
> a SOHO Router with a weak password or the default password and it will
> then alter the SOHO
> Router as such affecting your ability to access web sites.
>
> Several days ago I suggested that you post in an Expert Forum.
>
> You apparently failed to do so and thats why you are STILL having
> problems.
>
> Again I state... This is NOT a virus.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

 

[~BD~]

"1PW" wrote in message
news:gfig6d$tuj$1@feeder.motzarella.org...
> On 11/13/2008 10:33 AM, ~BD~ sent:
>
> Snip, snip...
>
>>
>> My subsequent discussions now lead me to believe that one needs to clear
>> the
>> CMOS and probably flash the BIOS too if one wants to be sure of a clean
>> machine.
>>
>> Good luck!
>>
>> Dave
>>
>
> Hello Dave:
>
> It is quite easy to take what we discussed, in the other thread, out of
> context. Extreme measures are not indicated in many instances. Good
> judgment, must be coupled with experience. Also, reburning the BIOS
> does come with its own set of risks of failure. The motherboard is
> clearly at risk. If the above malware is clearly hard disk drive
> resident, the risk/benefit ratio of reburning the BIOS is clearly not on
> the side of the system's tech/owner/user.
>
> A proper assessment/diagnosis must precede the proper corrective
> action.
>
> --
> 1PW

--

Hello again, Pete

> @?6A62?FEH9E=6o2@=]4@> [r4o7t]

I've still not worked out what this code means (busy doing other things
today!)

I fully appreciate your comments and I'm sure Øyvind Granberg will
understand too. Having reviewed his web site and absorbed a notion of his
experience with computers, I'm equally sure that he, just like me, will wish
to experiment and try to solve his problems himself - without resorting to
employing a 'professional' (as it seems you once were!).

You say "A proper assessment/diagnosis must precede the proper corrective
action". I fully accept this. With your wealth of experience, where would
*you* recommend one might go on the Internet.to achieve this objective?

Why do I ask you? You are one of the few folk on these MS security
newsgroups who has taken a great deal of time and trouble to help me better
understand these technical matters (FromTheRafters has been another
recently - thanks FTR). I do not profess, nor ever have, to be knowledgeable
about computers. That doesn't mean that I am stupid and ignorant ....... as
some here would have you believe!

I did not come to these groups to solve my malware problems, rather to
investigate how, and by whom, machines are infected in the first place. I
basically trust no-one and don't believe something simply because it is
showing on a screen in front of me. Nor do I blindly follow 'instructions'
from any Tom, Dick or Harry (or even David H Lipman - whose credentials are
completely unknown - yet who struts around these groups as if he is Lord of
the manor!).

The average guy who proceeds to a forum, downloads all manner of magical
programmes to help fix his /her PC (under instruction, of course) will have
absolutely no idea if their machine has *really* been cleaned - as long as
it 'works', that will be sufficient. Lambs to the slaughter perhaps?

Thanks for listening,

Dave

 

[FromTheRafters]

"Øyvind Granberg" wrote in message
news:e83729eRJHA.1164@TK2MSFTNGP03.phx.gbl...
> Your procedure involves hundres of MB's to download.
> Aren't we here shooting sparrow with cannons?

Taking the easy road is how you got into this mess. David has
given you good direction, and it will be good practice for the
next time.

 

[Peter Foldes]

Øyvind

You are exactly in the same boat as to the one you are answering too. Be careful it might sink. Learn to listen

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"Øyvind Granberg" wrote in message news:B70F3874-ADB3-4B60-B276-9C1D57BE2D40@microsoft.com...
> Thank you ~BD~ for those kind words. Glad you liked my website
>
> I will reset the CMOS and BIOS at next reboot.
>
> I am opposed to reinstalling the OS. That is a solution I turnde to i the
> past.
> I reformatted my first computer back in the late eighties. I thought it was
> THE solution in the nineties.
> This decade the procedure makes me physically sick... hehe...
>
> But after cleaning the registry, deleting files (autorun.inf) and folders
> (resycled) the regitry keys rebuilt themselves.
> Somewhere there has to be a file that is run at startup, or when I start IE.
> I will now revert to IE7 and flush CMOS and reset BIOS during restart.
>
> BRB
>
>
> --
>
> Vennlig hilsen
> Øyvind Granberg
>
> tresfjording@live.no
> www.tresfjording.com
>
> "~BD~" skrev i nyhetsmeldingen:
> uTso#4bRJHA.4008@TK2MSFTNGP02.phx.gbl ...
>> I'm saddened to learn that you have a continuing problem, OG.
>>
>> You said "Then IE8 is started"
>>
>> IE8 is in Beta - advice I've had says that you must expect problems if you
>> use an 'un-finished' product. I suggest you uninstall IE8 and try to
>> revert to IE7.
>>
>> I've enjoyed browsing your web site btw!

>>
>> Just to rub salt into the wound, you didn't need to pay anything to
>> download and use Malwarebytes on a one-off basis (i.e. not continuous
>> protection).
>>
>> If you have a rootkit, rather than try to find and kill it, I'm sure it
>> will be much quicker for you to 'Flatten and Rebuild'. If you have access
>> to the Internet, you may 'enjoy' reading through a thread I started
>> earlier this year, still available on Google, here:-
>>
>> http://groups.google.co.uk/group/microsoft...e5f99b403a1e451
>>
>> My subsequent discussions now lead me to believe that one needs to clear
>> the CMOS and probably flash the BIOS too if one wants to be sure of a
>> clean machine.
>>
>> Good luck!
>>
>> Dave
>>
>> --
>>
>>
>> "Øyvind Granberg" wrote in message
>> news:2AA77F27-57A5-4CB9-AD8B-4769F1049533@microsoft.com...
>>> Hi...
>>>
>>> As a continuance of the thread "Do I have a virus?"
>>>
>>> Well it's back. The Trojan.DNSChanger virus has really never left the
>>> building.
>>> I have downloaded and paid for software called Malwarebytes and it finds
>>> six instances of this virus.
>>> I choose to remove them, and the software wants to restart my computer.
>>> After reboot, a rerun of Malwarebytes shows that my system is clean.
>>> Then IE8 is started. All of a sudden I cannot connect to any website, not
>>> even google
>>> A new run of Malwarebytes reveals yet another six instances of the same
>>> virus.
>>>
>>> A checkup on all other computers in the household tells a tale of a
>>> massive outburst.
>>>
>>> I've got my ISP to reset the ADSL router, much against his beliefs, but
>>> no fix.
>>>
>>> I am running, amongst others, a self built Windows Vista Ultimate based
>>> pc, with all updates, and all security measures running.
>>> AVG 8
>>> Windows Defender
>>> A weekly run of Spybot and Adaware
>>> I reckon if I can clean this computer I can easily fix the others.
>>>
>>> What am I doing wrong here?
>>> Is this Malwarebyte a hoax?
>>>
>>>
>>> --
>>>
>>> Vennlig hilsen
>>> Øyvind Granberg
>>>
>>> tresfjording@live.no
>>> www.tresfjording.com
>>
>>

 

[FromTheRafters]

"Øyvind Granberg" wrote in message
news:30DDCE10-7C2A-479B-972C-439F1393C7D2@microsoft.com...
> >
>> You want a list?
> You sound like my wife

But *I* appreciate your sense of humor.

D

 

[David H. Lipman]

From: "Øyvind Granberg"

| Your procedure involves hundres of MB's to download.
| Aren't we here shooting sparrow with cannons?

My procedure was for you to post in and Expert Forum and i don't see how it would require
hundred of MB's of download.

If you are talking about my Multi AV Scanning Tool, I never suggested you use it.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp