|
I have an Alureon trojan that keeps creating a registry key that rewrites my DNS servers and hijacks my processes so that every time i input new dns servers, it just hijacks those new ones instead.
From Hijackthis:
O17 - HKLM\System\CCS\Services\Tcpip\..\{843E7ADF-E671-4CE3-B51A-7D90A04EDE28}: NameServer = 68.238.64.12,68.238.96.12
I found the registry key and deleted it, but in doing so i had to input my dns servers again, which created the the registry key above again.
What really bugs me is that all these parameters are all legit parameters and recreate themselves because they're pretty important to the internet...there's something manipulating these keys or renaming them but i can't find it.
also tried setting it to '0', but then a .sys file tries to fix it(avira keeps catching it) and says it's from C:System Volume Information. Another one from a mysterious C file contains an exploit which i think is the executable or the updater. Neither of them stops trying, even if i delete it.
Hijack this doesn't work because it has the same effect as manually deleting. Virus scan has worked to some degree, but the DNS thing is still happening. Avira hasn't found the trojan. CCCleaner had no effect. I have no idea how to use combofix.
Please help i have no idea what else i can do..
 
|
|
|
yes ima post them in a bit h/o
edit:
Bitdefender didn't find anything and esat is taking a lot longer
Eset is still going, but it found an Olmarik.SV trojan. I kinda doubt this one rewrites rewrites DNS servers though...
Oh i forgot to mention: whenever i input my DNS servers and click okay, a msg pops up and says there's another adapter with the same IP Address as mine, and i click "no i don't want to change it," and then the comp works for about 3 seconds and then the TCP/IP screen disappears. Whatever i have, it recognizes that process after i click something and recreates the registry key.
The msg that says theres another comp w/ the same IP address doesn't surprise me cause i sometimes unplug/replug my adapter into a new USB port (i have a static IP address too), but that msg itself is new which makes me suspicious of it..
|
Some things you could try out:
1. Turn off system restore (and keep it that way for the rest of your life).
2. Perform a full system scan with Avira (once I had a really nasty trojan, looking over internet I saw a couple of super-complicated solutions that involved downloading various stuff, restarting in safe mode, launching them in correct order, changing the registry and so on... A simple full scan solved the problem for me without all this bullshit).
|
Either think unsexy thoughts, or just finish. And next time buy lubricated Trojans.
|
Reformat, after moving all your games and whatnot onto a seperate partition so you don't lose them.
|
@manit0u : i just did a full system scan and the only trojans it found were from ADVLoader a while back. But why do i need to turn off system restore? i use it as a last ditch effort to fix my computer and sometimes it works...it didn't this time.
@ghermination: i dun have the XP CD, none of my friends have the CD, and i am too poor to go ask the computer guy to use his CD.
|
On January 25 2010 05:05 imBLIND wrote:
@ghermination: i dun have the XP CD, none of my friends have the CD, and i am too poor to go ask the computer guy to use his CD.
Although it's not legal, I'd say one word: torrents.
|
get some purell if it is a virus and pour it on your hardrive. if its a trojan than get a girl
|
|
|
@slimshady: I've been torrenting for a few years now, and i can say for a fact that torrenting the actual windows 7 or XP is a total waste of time without a really good keygen. Not gonan waste my time dling that and spend a week looking for a keygen that works
@patriot: i don't care about the malware cause thats ez to delete. I'm tryin to get rid of the trojan changin my dns and sendin me the malware. process explorer didnt have any suspicious looking .dlls
I was browsing through my registry and found the "real" Tcpip file. The key i posted above is being remade by the trojan..
|
I thought this was going to be about condoms. 
|
On January 25 2010 06:15 Athos wrote:I thought this was going to be about condoms.
Actually me too... i thought he had tried to cram himself into a small condom and gotten stuck or something.
|
Try Activescan. It got rid of a trojan that Norton couldn't 
It requires a subscription to get it to remove everything, but any malicious or dangerous viruses/spyware will be removed for free.
|
|
|
|
|
Purell is the best way to go
|
|
|
|
|
|
EPT
