Re: dnsChange virus

On Thu, 13 Nov 2008 14:58:22 +0100, Øyvind Granberg wrote:

Hi...

As a continuance of the thread "Do I have a virus?"

Well it's back. The Trojan.DNSChanger virus has really never left the
building.
I have downloaded and paid for software called Malwarebytes and it finds six
instances of this virus.
I choose to remove them, and the software wants to restart my computer.
After reboot, a rerun of Malwarebytes shows that my system is clean.
Then IE8 is started. All of a sudden I cannot connect to any website, not
even google
A new run of Malwarebytes reveals yet another six instances of the same
virus.

A checkup on all other computers in the household tells a tale of a massive
outburst.

I've got my ISP to reset the ADSL router, much against his beliefs, but no
fix.

I am running, amongst others, a self built Windows Vista Ultimate based pc,
with all updates, and all security measures running.
AVG 8
Windows Defender
A weekly run of Spybot and Adaware
I reckon if I can clean this computer I can easily fix the others.

What am I doing wrong here?
Is this Malwarebyte a hoax?

Malwarebytes' Anti-Malware is a good-quality bona fide application.
After the software is updated try scanning in safe mode.
How do you boot to Safe Mode?
By pressing/tabbing F8 (or F5 on some keyboards) during re-boot.
A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/default.aspx?scid=315222
Start your computer in safe mode (Vista)
http://windowshelp.microsoft.com/Windows/en-us/help/323ef48f-7b93-4079-a48a-5c58eec904a11033.mspx
http://www.bleepingcomputer.com/tutorials/tutorial61.html
Alternatively:
click onto Start==>Run, type "msconfig" (without quotation marks), click
OK. Then click onto BOOT.INI tab and 'check' /SAFEBOOT then OK and click
Restart. To go back to Normal Mode, you must access the System
Configuration utility again and click the General tab then click/check the
radio button 'Normal Startup'- load all device drivers and services'.

Not successful?

Download/execute:
David H. Lipman's MULTI_AV Tool
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
http://www.pctipp.ch/downloads/dl/35905.asp
English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/
Additional Instructions:
http://pcdid.com/Multi_AV.htm
and/or
Kaspersky's AVPTool
http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/
--or--
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
--or--
http://ftp.kaspersky.com/devbuilds/AVPTool/
There's no updating involved since the scanning engine is updated several
times a day and you simply download the updated scanner whenever you want
to do a scan. Uninstall after use. To uninstall/move this program "enable
self-defense' must be unchecked!
--and/or--
Dr.Web CureIt!® Utility - FREE
http://www.freedrweb.com/cureit/
--and--
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html

Scan in normal and safe mode.

Then download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html
Hundreds Click on 'Click Here to Get Infected' Ad
http://www.eweek.com/article2/0,1895,2132447,00.asp

Good luck :)
.