No replies to this topic

[mudmanc4]

I'm hopeful that you are aware of the resurgence of the dnschanger virus, it's a nasty trojan with a zero day timer. Reports are March 8th , or there around , the machines containing active running processes will do more then just hijack your browser, and redirect you to wherever the writers have decided.

You should be running a decent antivirus, updated regular. Scan regular and check the running processes, this bug re installs directories each month , or less.

From my experience with this , you'll need to remove the following regular until you get the culprit.
[please do not delete something just because you do not recognize the format ] you may break something. So make a backup of the files you wish to keep in case you need to do a restore or even re image the drive.

c:\windows\system32\[there will be random caricatures here].dll  

c:\documents and settings\Administrator\Local Settings\Temp\ [more random caricatures]

%AllUsersProfile%\[more random caricatures].exe

%localAppData%\[more random caricatures].exe

This guy changes his name so that your scanner cannot see and delete it, the above is very random and more difficult to even find, so be diligent.

There are "driver" installed by the dnschanger virus as well. Depending on which version you have will depend on what is installed, and or replicating.

Go into your device manager and look for the following in [hidden drivers] they might be in the plug and play drivers area. You'll want to disable these. Then once you finish , reboot the machine.

TDSSserv.sys
TDSSxyz.sys where xyz are random characters
msqpdxserv.sys
gaopdxserv.sys
gxvxcserv.sys
seneka
seneka.sys
ndisprot.sys
UACd.sys
MSIVXserv.sys
ESQULserv.sys
H8SRTd.sys
_VOIDd.sys


Look for these folder /files and delete them if they are present.  

C:\Windows\system32\wdmaud.sys
C:\resycled\bootmatrix.com
Folders to delete:
C:\resycled

Malwarebytes seems to be a good one in detecting and removing many of the replicated files owned by dnschanger .

You'll also want to check the setting in your browser, to insure that the proxy settings are as they should be, generally off for the average user.

Go to Start -> Control Panel ->Network Connections.
Right click your default connection [Local Area Connection] and left click on Properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically, click twice to set to auto.
Next goto start run CMD , in the field run " ipconfig /flushdns "
Reboot your machine.
This is by far a complete means to rid yourself of the dncchanger trojan, so any of you that have amore info on this , please share.