Nasty Trojan Virus

Matt

Got my first Trojan Virus yesterday, and it was particularly nasty.

Trojan.DNSChanger

It changes your DNS settings, and re-directs you to it's own pages. This is bad, considering it then won't let you download anything to remove it, as it directs you away from those pages.

Managed to download what I needed via Linux install on my laptop - Malwarebytes' Anti-Malware, installed it, and ran it, loads of stuff was infected

Malwarebytes' Anti-Malware 1.33
Database version: 1691
Windows 6.0.6001 Service Pack 1

25/01/2009 13:21:11
mbam-log-2009-01-25 (13-21-11).txt

Scan type: Quick Scan
Objects scanned: 58435
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\aquaplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.62,85.255.112.70 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cea334ac-470e-4f67-9671-5d51d8cde38d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.62,85.255.112.70 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cea334ac-470e-4f67-9671-5d51d8cde38d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.62,85.255.112.70 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{df012b50-538a-4ebe-b643-f0fa471d0d3a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.62,85.255.112.70 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.62,85.255.112.70 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cea334ac-470e-4f67-9671-5d51d8cde38d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.62,85.255.112.70 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cea334ac-470e-4f67-9671-5d51d8cde38d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.62,85.255.112.70 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{df012b50-538a-4ebe-b643-f0fa471d0d3a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.62,85.255.112.70 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\drivers\gaopdxbtpvspns.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Managed to remove it though. It also stoppes AVG from working properly, and Windows Defender.

Going to do a full virus scan, and also install Spybot Search and Destroy as an extra measure.

Matt

http://uk.youtube.com/watch?v=tzDbbEWXVEk

Daz

just had one appear on the wifes pc....zafi.32 or summat....avg popped up,and then pc turned off....cant run firefox or ie ,just done a search on my lappy and its afake trjan or such like that dupes you into d/l fake virus software and throws up fake error meassages...

vocky

the vx220.org site has a trojan embedded in the header page, but the "admin" seem not to be bothered about that !!!!!!

trys to direct you to //evesteam.net and then download the trojan, I have banned the evescum site and my anti-virus stops the trojan

sdbutler10

i got one on my laptop atm fucking thing it is. it throws up a blue screen on laptop saying somthing aboout memory and then pc restarts its a rite bugger i cant seem to get rid of it any ides on what to use.

dodger

sdbutler10 said:
i got one on my laptop atm f*****g thing it is. it throws up a blue screen on laptop saying somthing aboout memory and then pc restarts its a rite bugger i cant seem to get rid of it any ides on what to use.

You could try and use your laptop in safe mode and try to remove it that way

sdbutler10

that just throws me lol

dodger

sdbutler10 said:
that just throws me lol

Get into Safe mode in Windows XP

http://support.microsoft.com/kb/315222