How to remove trojan DNSChanger (DNS hijacking and copy-book.com virus)

0 Flares Twitter 0 Facebook 0 Google+ 0 Pin It Share 0 0 Flares ×

Trojan DNSChanger is name of group of trojans (zlob dns changer, Troj/Rustok-N, W32/Tidserv …) that hijacking your DNS settings and then redirecting you to malicious websites and stealing personal identities.

Trojan DNSChanger symptoms

  • Windows Update redirects you to msn.com.
  • Search results in Google, Yahoo, MSN and other redirect you to other non related sites.
  • Google/Yahoo/MSN results redirects you via copy-book.com or another fake site.
  • Google/Yahoo/MSN has become slower when doing searches.
  • Facebook and youtube redirects to different sites.
  • “Waiting for 7.7.7.0…” at the bottom left corner of IE while Google search results were loading. It is caused by the file C:\Windows\system32\wdmaud.sys (reported as Rootkit.Win32.Agent.fwt). The legitimate wdmaud.sys actually exists at C:\Windows\system32\drivers\.
  • Any web page loads really slowly.
  • System restore function is blocked.
  • Vimax pills banner ads are popping up on some sites, include security sites.
  • Cannot run msconfig.
  • Cannot update antivirus and antispyware programs.
  • Trojan affects all browsers (IE7 and Firefox).
  • HijackThis shows infection.

    O17 – HKLM\System\CCS\Services\Tcpip\..\{1F5A3FA3-74FB-41DD-AD5B-F8C6C8B3D0EC}: NameServer = 85.255.116.86,85.255.112.157

Use the following instructions to remove trojan DNSChanger (Zlob dns changer uninstall instructions).

1. Disable and remove trojan drivers.
Skip the step, if TDSSserv.sys or TDSSxyz.sys where xyz are random characters , msqpdxserv.sys, seneka.sys drivers are not listed in the list of drivers.

  • Right click the My computer icon. If you are using the non classic Start menu, then right click My computer icon on your Start button menu.
  • Click Properties.
  • Click Hardware Tab.
  • Click Device Manager.
  • In the top menu, click View and click Show Hidden Drivers.
  • Scroll down to non Plug and Play drivers.
  • Click + at left.
  • In the list of drivers right click TDSSserv.sys or TDSSxyz.sys where xyz are random characters, msqpdxserv.sys, seneka or seneka.sys.
  • Click Disable.
  • Click YES for confirm.
  • Close all windows and reboot your computer.
  • Download Avenger from here and unzip to your desktop.
  • Run Avenger, copy,then paste the following text in Input script Box:

    Drivers to delete:
    TDSSserv.sys
    msqpdxserv.sys
    seneka
    seneka.sys
    ndisprot.sys

    Files to delete:
    C:\Windows\system32\wdmaud.sys
    C:\resycled\bootmatrix.com

    Folders to delete:
    C:\resycled

    Then click on ‘Execute’.

  • You will be asked Are you sure you want to execute the current script?. Click Yes.
  • You will now be asked First step completed — The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes.
  • Your PC will now be rebooted.

2. Remove DNSChanger trojan files, registry keys and any associated malware..

  • Download Malwarebytes Anti-Malware (MBAM). The program designed to quickly detect, destroy and prevent malware, spyware, trojans.
  • Once downloaded, close all programs and Windows on your computer (including this one).
  • Double-click on the icon named mbam-setup.exe to install the application.
  • When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select “Perform Quick Scan”, then click Scan.
  • MBAM will now start scanning your computer for malware. This process may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • MBAM will now delete all of the files and registry keys and add them to the quarantine.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

3. Repair your Internet settings (Set option “Obtain DNS servers automatically”).
Skip the step, if computer works fine.

  • Go to Start -> Control Panel ->Network Connections.
  • Right click your default connection, usually Local Area Connection or Dial-up Connection, if you are using Dial-up, and left click on Properties.
  • Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice.
  • Go to Start -> Run, enter CMD and click OK.
  • At the Dos Prompt Screen, type in cd\ and then press ENTER.
  • Now type in ipconfig /flushdns and then press ENTER. (notice the space after ipconfig)
  • Close the command prompt window.
  • Reboot your PC and try to open any website.

4. Clear DNSChanger infected machines using your router and reset router/modem settings.
Use the step if after reboot the trojan DNSChanger still there when you scan with Malwarebytes Anti-malware again.

  • If you have a home network or other DNSChanger infected machines using the your router, you should clear them with the above steps.
  • Now your should reset your router (trojan DNSChanger can change the router’s DNS settings). Click reset button on back side of the router.
  • You may also need to consult with your Internet service provider to find out which DNS servers you should be using.

If you are still having problems with your computer after completing these instructions, then please follow these instructions

0 Flares Twitter 0 Facebook 0 Google+ 0 Pin It Share 0 0 Flares ×

Comments on this entry are closed.

Next Post:

Previous Post:

0 Flares Twitter 0 Facebook 0 Google+ 0 Pin It Share 0 0 Flares ×