Home Malware Programs Trojans DNS Changer

DNS Changer

Posted: November 20, 2011

DNS Changer Screenshot 1DNS Changer is a Trojan that attempts to change the infected computer's DNS (or domain name server) settings for malicious purposes. Although obvious symptoms of a DNS Changer infection may not be observable, SpywareRemove.com malware experts have noted that the full extent of DNS Changer's attacks can be dangerously-impressive and often include browser hijacks and attempts at theft of personal information. DNS Changer is also known as FBI DNS Changer, DNS Changer Virus, DNS Changer Trojan, Trojan:W32/DNSChanger, DNSChanger, DNS Changer Malware, Ghost Click Malware, Win32.DNSChanger, Windows DNS Changer, Ghost Click Virus or Doomsday Virus.

As of November 2011, many types of recent DNS Changer attacks have also used TDSS rootkits, banker Trojans and other forms of malicious software to enhance their spyware and security-lowering capabilities, and any attempt at removing DNS Changer should also include usage of anti-malware programs that can remove any additional PC threats.

The DNS Changer's Looming Internet Lockout Strikes This Monday

Although reputable entities such as Google, Facebook, various Internet service providers and even the FBI have all coordinated efforts to help DNS Changer victims, current reports indicate that countless thousands of DNS Changer-infected computers will still lose internet connectivity next Monday. This internet blackout date is the current date that's set for replacement DNS Changer servers to be taken down, which will leave PCs that are directed to those servers automatically without any ability to load even a single website.

There is a happy wrap up to this tale, but with a caveat: while DNS Changer's attacks were effectively halted with the closure of its malicious servers, and these servers were replaced with benign ones (this move was called Operation Ghostclick), these replacements are only up for a limited time. Our malware researchers have noted a sharp increase in assistance methods for victims of DNS Changer attacks as this Internet blackout date looms ever closer, including easy methods of detecting DNS Changer infections by visiting sites like www.dns-ok.us. Other popular sites, such as the Google search engine, have also taken to providing warning messages for infected computers as soon as they attempt to search or use another website-related feature. However, many computers remain infected by DNS Changer, and as long as its DNS alterations are still in place, affected computers will soon lose the ability to load any website at all.

This video illustrates the number of computers worldwide infected with DNSChanger every hour for the time period 01/01/2012 to 03/31/2012.

It should be stressed that since there may be no symptoms of a DNS Changer infection until the server shutdown date arrives, you shouldn't attempt to detect DNS Changer infections manually, particularly since they involve changes to sensitive system components. Our malware analysts recommend that you use a trustworthy brand of anti-malware application to detect and remove DNS Changer and its related changes, which can also be responsible for other attacks unless they're completely deleted. You can learn more on how threatening DNS Changer is from the 'DNS Changer Threatens Your Internet' video.

If DNS Changer or related PC threats prevent you from using appropriate software or visited PC security sites, boot your computer from a removable media device (such as a CD or USB drive) and proceed on from there with the uninfected OS. In rare cases where it's necessary, your ISP (among other sources) can also provide detailed instructions on DNS Changer removal.

The Unseen Dangers That Await with a DNS Changer Infection

Although DNS Changer can also be spread by other methods (most notably, via social networking-based links), most recent DNS Changer attacks have made use of TDSS rootkits to install themselves and gain access to the infected PC. DNS Changer is designed to attack Windows computers and does this in a very broad way - by abusing DNS settings to intercept and transmit online traffic. This allows DNS Changer to be used for many types of hijack-based attacks, such as:

  • Redirecting you to a phishing website that looks identical to a legitimate site. This method allows DNS Changer to steal passwords and other forms of personal information by requesting you to log in to an account at a fraudulent site.
  • Stealing passwords and other forms of online-transmitted information directly from legitimate sites.
  • Redirecting your web browser to irrelevant sites that pay click-based revenue to DNS Changer's criminal partners.
  • Redirecting your browser away from anti-malware sites that could provide assistance for removing DNS Changer.

Affiliated rootkits that can install DNS Changer such as TDL4 rootkit may also be responsible for other attacks on your PC. Until you've removed DNS Changer (and any related infections) with an appropriate anti-malware program, your computer's security will be severely-reduced, and you may be in danger of remote attacks that can take over or even damage your PC.

Find Out If You're Infected with DNS Changer

If your PC is still infected with DNS Changer, it's highly likely that you've experienced a total loss of Internet connectivity. This is due to a shutdown of servers that commenced at 12:01 AM on July 9th. In addition to technical methods of directly detecting DNS changes on your computer, SpywareRemove.com malware researchers can also recommend a profusion of various DNS Changer-detecting tools and websites. The afterward is an index of some of the many third-party entities that have worked to alert DNS Changer victims of the presence of DNS Changer malware:

  • You may have visited dns-ok.us or similar DNS Changer-detecting websites for different regions, such as dns-ok.nl, dns-ok.fi or dns-ok.gov.au. These FBI-recommended websites are designed to display highly-visible red alerts if your computer is infected with a variant of DNS Changer. However, they aren't foolproof – if your ISP redirects your DNS traffic by default, your PC may appear to be uninfected even if it truly is afflicted with DNS Changer.
  • As of early June 2012, Facebook also issued automatic warnings to any PC that was determined to be infected by DNS Changer. Facebook's warning message provides a link to DNS Changer Working Group or DCWG site, which, in its own turn, links back to one of the above sites for detecting DNS Changer.
  • Similar to Facebook, Google has had its own warnings to hand out to DNS Changer-infected computers. SpywareRemove.com malware analysts noted that Google's alert is much more generic than those used by the above sites, however; consequentially, some DNS Changer victims may have ignored Google's 'Your computer appears to be infected' warning as a false positive or a symptom of a browser hijacker.

Other than visiting the aforementioned websites, no special action needs to be taken; these sites will detect DNS Changer on your computer as you load their web pages. However, you may be unable to see these alerts or may receive inaccurate system analyses if your browser is blocking the scripts and related website features that are used to detect DNS Changer's system modifications. For this reason, SpywareRemove.com malware researchers strongly recommend that you enable all necessary features for trusted PC security sites.

Watch out for Alternate Forms of DNS-Modifying Attacks

Not all types of DNS Changer attacks are confined to the DNS settings of an individual computer. SpywareRemove.com malware experts have also found instances where advanced DNS Changer variants may choose, instead, to modify the settings of a communal router or modem. Strong user login names and passwords can help to protect these devices from being hijacked by DNS Changer and similar PC threats. It should be noted that even uninfected computers that use DNS Changer-infected routers, for example, will suffer the consequences of infection – for example, loss of Internet connectivity or exposure to harmful websites.

Methods for acquiring DNS data from these products will vary with the type of product in question, and SpywareRemove.com malware researchers recommend that you reference your router or modem's manual for guidance on how to acquire this information. However, once you've found your DNS Server information, you can check it for contamination by DNS Changer with any of the methods noted above.

Freeing Your DNS Settings from DNS Changer's Dominion

Because DNS Changer, by definition, changes your DNS settings, you may need to change your DNS settings back to normal values after you've deleted DNS Changer. Most variants of DNS Changer will use techniques to hide themselves, such as by using randomly-named files in the Windows folder, and should be removed by suitable anti-malware programs if such programs are available. Some versions of DNS Changer will also damage certain drivers – in most instances, restoring these drivers from backup copies will restore DNS Changer, and so you should reinstall these drivers from clean sources.

Because DNS Changer is a generic label, DNS Changer can be used to identify many types of PC threats that display its DNS-changing characteristics. DNS Changer may also be identified by the labels of TR/Dldr.DNS Changer, Trojan.BAT.DNS Changer.a, Trojan.DNS Changer.BX, Trojan:Win32/DNS Changer.AI, Win-Trojan/DNS Changer.72210 and Trojan.Win32.DNS Changer.re (among others).

Tips to Prevent DNS Changer Malware

Although DNS Changer attacks encompass multiple types of PC threats, there are some general precautions that you can take to make your network settings less vulnerable than otherwise to DNS Changer attacks. SpywareRemove.com malware experts particularly recommend:

  • Avoid default or commonly-used user names and passwords for network-related accounts, software and hardware. Passwords such as 'admin' and 'password1' are often cracked via brute force methods that allow malicious software like DNS Changer variants to change your network settings to their own preferences.
  • Monitoring IP activity for computers in your network. If a computer appears to be accessing one of the compromised DNS Changer IP numbers, you should isolate it from both the Internet and other PCs until it's disinfected.
  • Some brands of PC security and anti-malware programs can also offer particularly advanced solutions such as blocking unauthorized changes to sensitive portions of your Registry. You should only attempt this form of defense against DNS Changer if you're comfortable with working with the Registry and have your DNS server addresses set to be procured automatically. Specific instructions for this feature will vary with each brand of security software that offers it.
  • Avoid common means of installation by various PC threats, particularly those that are favored by DNS Changer variants. DNS Changer-related PC threats often disguise themselves as legitimate programs or updates such as codecs or script (Flash or JavaScript) packages.


DNS Changer Screenshot 2DNS Changer Screenshot 3

Technical Details

How to Detect Maliciously-Altered Domain Name System (DNS) Settings Manually

If you're unable or unwilling to access the above websites, or have any motive to believe that they might be inaccurate for your situation, you can also attempt to detect DNS Changer-altered Domain Name System settings by manual methods. These instructions will differ for different PC users, depending on your operating system.

DNS Attack-Detecting Instructions for Windows Users

The FBI provides its own detection method on its website that's usable once you know the IP address for your DNS Servers (which can be identified by a default Windows command). You can also use the Windows feature Ncpa.cpl, which is associated with Control Panel's management of network connectivity properties. Both methods can be launched and finished quickly and easily from the CMD.exe (what older PC users than the norm may still think of as a modern replacement for DOS).

Using the Forms.fbi.gov Website

The website Forms.fbi.gov, or to be more specific than that, forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS, offers DNS Changer detection once you've input your DNS information for analysis. The information FBI service can be procured from CMD.exe as follows:

  • Click Start and search for CMD.exe and launch it,

OR

Hold down your Start menu button on your keyboard while also holding R, type cmd.exe and click OK.

  • Type ipconfig /all and make a note of the information (by taking a screenshot or writing it down, as preferred). However, for the purposes of this procedure, all you need are the numbers of the DNS Servers.
  • Type your DNS Servers information (for an example of the format: 192.123.1.2) into the field at forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS. You'll be informed on the website whether or not your PC's DNS settings have been compromised by DNS Changer attacks.
Using the Ncpa.cpl Windows Feature

If you're uninterested in using the FBI website, a second method is also available. Follow the instructions as above until you know your DNS Servers information. From that point:

  • Click Start and search for Ncpa.cpl and launch it,

OR

Hold down your Start menu button on your keyboard while also holding R, type Ncpa.cpl and click OK. Either method will launch the Network Connections section of Control Panel.

  • Right-click on the icon the network connection that's in use (its description will vary with your type of connection) and click Properties.
  • Scroll the Networking 'items' section until you find Internet Protocol and click it.
  • Click the Properties button from within the window.
  • If you're set to obtain IP addresses automatically, your PC can be considered compromised. If you're set to use 'the following DNS addresses,' then your computer may be compromised by DNS Changer. Write down the numbers for both preferred and alternate servers, if this is applicable.
  • If any of the numbers fall within the following ranges (as determined by the United States FBI), your DNS settings have been altered with malicious intent:

    64.28.176.0 to 64.28.191.255
    67.210.0.0 to 67.210.15.255
    77.67.83.0 to 77.67.83.255
    85.255.112.0 to 85.255.127.255
    93.188.160.0 to 93.188.167.255
    213.109.64.0 to 213.109.79.255

DNS Attack-Detecting Instructions for Mac Users

Mac-based PCs can still use the same FBI website, forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS, to detect DNS Changer-based DNS modifications. However, the procedure for acquiring DNS information is slightly different from the Windows instructions, as follows:

  • Left-click your Apple menu icon and select System Preferences.
  • Left-click Network.
  • Click your active network connection as noted in the display.
  • Click the Advanced button from within the window.
  • Select the DNS tab (just to the right of the TCP/IP tab). This will display your DNS Server information, which can be checked as per the Windows instructions.

Fixing DNS Server Settings By Hand (without Software-Based Assistance)

Switching from predetermined DNS settings to automatically-acquired ones is an easy way for Windows users to manually 'turn off' malicious DNS settings – although this does not necessarily remove the associated DNS Changer infection, which may reverse your changing if DNS Changer is not deleted by anti-malware software or other methods. If you feel that you need to make these changes by hand and are confident that they will not be reversed, follow the first four parts of the 'Using Ncpa.cpl' section.

Select 'Obtain DNS server address automatically.' Note that most, but not all ISPs provide automated DNS server acquisition via a DHCP or Dynamic Host Configuration Protocol. If your PC uses an ISP or network that doesn't provide this feature, this solution will not work.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to DNS Changer may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



C:\Windows\system32\wdmaud.sys File name: C:\Windows\system32\wdmaud.sys
File type: System file
Mime Type: unknown/sys
C:\resycled\bootmatrix.com File name: C:\resycled\bootmatrix.com
File type: Command, executable file
Mime Type: unknown/com
TDSSserv.sys File name: TDSSserv.sys
File type: System file
Mime Type: unknown/sys
seneka.sys File name: seneka.sys
File type: System file
Mime Type: unknown/sys
gaopdxserv.sys File name: gaopdxserv.sys
File type: System file
Mime Type: unknown/sys
msqpdxserv.sys File name: msqpdxserv.sys
File type: System file
Mime Type: unknown/sys
gxvxcserv.sys File name: gxvxcserv.sys
File type: System file
Mime Type: unknown/sys
_VOIDd.sys File name: _VOIDd.sys
File type: System file
Mime Type: unknown/sys
ndisprot.sys File name: ndisprot.sys
File type: System file
Mime Type: unknown/sys
H8SRTd.sys File name: H8SRTd.sys
File type: System file
Mime Type: unknown/sys
MSIVXserv.sys File name: MSIVXserv.sys
File type: System file
Mime Type: unknown/sys
UACd.sys File name: UACd.sys
File type: System file
Mime Type: unknown/sys
ESQULserv.sys File name: ESQULserv.sys
File type: System file
Mime Type: unknown/sys
PayPal-2.5.200-MSWin32-x86-2005.exe File name: PayPal-2.5.200-MSWin32-x86-2005.exe
File type: Executable File
Mime Type: unknown/exe
%COMMON_DOCUMENTS%\cmijj.exe File name: %COMMON_DOCUMENTS%\cmijj.exe
File type: Executable File
Mime Type: unknown/exe
%COMMON_DOCUMENTS%\csrss.exe File name: %COMMON_DOCUMENTS%\csrss.exe
File type: Executable File
Mime Type: unknown/exe
%COMMON_DOCUMENTS%\LSSAS.exe File name: %COMMON_DOCUMENTS%\LSSAS.exe
File type: Executable File
Mime Type: unknown/exe
%COMMON_DOCUMENTS%\msert.exe File name: %COMMON_DOCUMENTS%\msert.exe
File type: Executable File
Mime Type: unknown/exe
%COMMON_DOCUMENTS%\mstsc.exe File name: %COMMON_DOCUMENTS%\mstsc.exe
File type: Executable File
Mime Type: unknown/exe
%MYPICTURES%\resycled File name: %MYPICTURES%\resycled
%PERSONAL%\resycled File name: %PERSONAL%\resycled
%PROFILE_TEMP%\AlfaBR.exe File name: %PROFILE_TEMP%\AlfaBR.exe
File type: Executable File
Mime Type: unknown/exe
%PROGRAM_FILES%\AccessMV File name: %PROGRAM_FILES%\AccessMV
%PROGRAM_FILES%\AlfaBR File name: %PROGRAM_FILES%\AlfaBR
%PROGRAM_FILES%\aquaplay File name: %PROGRAM_FILES%\aquaplay
%PROGRAM_FILES%\BestHD File name: %PROGRAM_FILES%\BestHD
%PROGRAM_FILES%\BlueRaTech File name: %PROGRAM_FILES%\BlueRaTech
%PROGRAM_FILES%\Convert2Play File name: %PROGRAM_FILES%\Convert2Play
%PROGRAM_FILES%\DDnsFilter File name: %PROGRAM_FILES%\DDnsFilter
%PROGRAM_FILES%\DecodingHQ File name: %PROGRAM_FILES%\DecodingHQ
%PROGRAM_FILES%\DigitalHQ File name: %PROGRAM_FILES%\DigitalHQ
%PROGRAM_FILES%\DigitalLabs File name: %PROGRAM_FILES%\DigitalLabs
%PROGRAM_FILES%\DVDConv File name: %PROGRAM_FILES%\DVDConv
%PROGRAM_FILES%\DVDextraPL File name: %PROGRAM_FILES%\DVDextraPL
%PROGRAM_FILES%\DVDTool File name: %PROGRAM_FILES%\DVDTool
%PROGRAM_FILES%\ExpressVids File name: %PROGRAM_FILES%\ExpressVids
%PROGRAM_FILES%\EZVideo File name: %PROGRAM_FILES%\EZVideo
%PROGRAM_FILES%\FreeHDplay File name: %PROGRAM_FILES%\FreeHDplay
%PROGRAM_FILES%\freshplay File name: %PROGRAM_FILES%\freshplay
%PROGRAM_FILES%\FullMovies File name: %PROGRAM_FILES%\FullMovies
%PROGRAM_FILES%\HDExtrem File name: %PROGRAM_FILES%\HDExtrem
%PROGRAM_FILES%\HDQuality File name: %PROGRAM_FILES%\HDQuality
%PROGRAM_FILES%\HDtvcodec File name: %PROGRAM_FILES%\HDtvcodec
%PROGRAM_FILES%\HeroCodec File name: %PROGRAM_FILES%\HeroCodec
%PROGRAM_FILES%\homeview File name: %PROGRAM_FILES%\homeview
%PROGRAM_FILES%\iVideo File name: %PROGRAM_FILES%\iVideo
%PROGRAM_FILES%\Mediaview File name: %PROGRAM_FILES%\Mediaview
%PROGRAM_FILES%\MpegBuster File name: %PROGRAM_FILES%\MpegBuster
%PROGRAM_FILES%\Network Monitor File name: %PROGRAM_FILES%\Network Monitor
%PROGRAM_FILES%\PlayMe File name: %PROGRAM_FILES%\PlayMe
%PROGRAM_FILES%\PLDivX File name: %PROGRAM_FILES%\PLDivX
%PROGRAM_FILES%\PluginVideo File name: %PROGRAM_FILES%\PluginVideo
%PROGRAM_FILES%\PlusCodec File name: %PROGRAM_FILES%\PlusCodec
%PROGRAM_FILES%\PornoPlayer File name: %PROGRAM_FILES%\PornoPlayer
%PROGRAM_FILES%\QuickTiming File name: %PROGRAM_FILES%\QuickTiming
%PROGRAM_FILES%\QuickyPlaeyr File name: %PROGRAM_FILES%\QuickyPlaeyr
%PROGRAM_FILES%\SiteEntry File name: %PROGRAM_FILES%\SiteEntry
%PROGRAM_FILES%\SunPorn File name: %PROGRAM_FILES%\SunPorn
%PROGRAM_FILES%\TonsOfPorn File name: %PROGRAM_FILES%\TonsOfPorn
%PROGRAM_FILES%\totalvid File name: %PROGRAM_FILES%\totalvid
%PROGRAM_FILES%\ubervid File name: %PROGRAM_FILES%\ubervid
%PROGRAM_FILES%\UltraVideo File name: %PROGRAM_FILES%\UltraVideo
%PROGRAM_FILES%\VideoKey File name: %PROGRAM_FILES%\VideoKey
%PROGRAM_FILES%\videoplay File name: %PROGRAM_FILES%\videoplay
%PROGRAM_FILES%\videosoft\Uninstall.exe File name: %PROGRAM_FILES%\videosoft\Uninstall.exe
File type: Executable File
Mime Type: unknown/exe
%PROGRAM_FILES%\XXXHoliday File name: %PROGRAM_FILES%\XXXHoliday
%PROGRAMS%\AccessMV File name: %PROGRAMS%\AccessMV
%PROGRAMS%\aquaplay File name: %PROGRAMS%\aquaplay
%PROGRAMS%\BHVideo File name: %PROGRAMS%\BHVideo
%PROGRAMS%\BlueRaTech File name: %PROGRAMS%\BlueRaTech
%PROGRAMS%\Convert2Play File name: %PROGRAMS%\Convert2Play
%PROGRAMS%\coolplay File name: %PROGRAMS%\coolplay
%PROGRAMS%\DecodingHQ File name: %PROGRAMS%\DecodingHQ
%PROGRAMS%\DigitalHQ File name: %PROGRAMS%\DigitalHQ
%PROGRAMS%\DigitalLabs File name: %PROGRAMS%\DigitalLabs
%PROGRAMS%\DivxFree File name: %PROGRAMS%\DivxFree
%PROGRAMS%\DVDConv File name: %PROGRAMS%\DVDConv
%PROGRAMS%\DVDextraPL File name: %PROGRAMS%\DVDextraPL
%PROGRAMS%\DVDTool File name: %PROGRAMS%\DVDTool
%PROGRAMS%\ExpressVids File name: %PROGRAMS%\ExpressVids
%PROGRAMS%\FreeHDplay File name: %PROGRAMS%\FreeHDplay
%PROGRAMS%\FullMovies File name: %PROGRAMS%\FullMovies
%PROGRAMS%\HDExtrem File name: %PROGRAMS%\HDExtrem
%PROGRAMS%\HDQuality File name: %PROGRAMS%\HDQuality
%PROGRAMS%\HDtvcodec File name: %PROGRAMS%\HDtvcodec
%PROGRAMS%\HeroCodec File name: %PROGRAMS%\HeroCodec
%PROGRAMS%\homeview File name: %PROGRAMS%\homeview
%PROGRAMS%\Mediaview File name: %PROGRAMS%\Mediaview
%PROGRAMS%\MoviesPlay File name: %PROGRAMS%\MoviesPlay
%PROGRAMS%\PlayMe File name: %PROGRAMS%\PlayMe
%PROGRAMS%\PlayMYDVD File name: %PROGRAMS%\PlayMYDVD
%PROGRAMS%\PLDivX File name: %PROGRAMS%\PLDivX
%PROGRAMS%\PluginVideo File name: %PROGRAMS%\PluginVideo
%PROGRAMS%\QuickTiming File name: %PROGRAMS%\QuickTiming
%PROGRAMS%\QuickyPlaeyr File name: %PROGRAMS%\QuickyPlaeyr
%PROGRAMS%\sexvid File name: %PROGRAMS%\sexvid
%PROGRAMS%\SiteEntry File name: %PROGRAMS%\SiteEntry
%PROGRAMS%\TonsOfPorn File name: %PROGRAMS%\TonsOfPorn
%PROGRAMS%\totalvid File name: %PROGRAMS%\totalvid
%PROGRAMS%\UltraVideo File name: %PROGRAMS%\UltraVideo
%PROGRAMS%\UNICCodec File name: %PROGRAMS%\UNICCodec
%PROGRAMS%\videoplay File name: %PROGRAMS%\videoplay
%SYSTEM%\cmd32.exe File name: %SYSTEM%\cmd32.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM%\cmd64.exe File name: %SYSTEM%\cmd64.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM%\csrcs.exe File name: %SYSTEM%\csrcs.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM%\csrns.exe File name: %SYSTEM%\csrns.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM%\csrss.exe File name: %SYSTEM%\csrss.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM%\drivers\ndisprot.sys File name: %SYSTEM%\drivers\ndisprot.sys
File type: System file
Mime Type: unknown/sys
%SYSTEM%\kdgzh.exe File name: %SYSTEM%\kdgzh.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM%\kdkgg.exe File name: %SYSTEM%\kdkgg.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM%\kdlly.exe File name: %SYSTEM%\kdlly.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM%\kdqwt.exe File name: %SYSTEM%\kdqwt.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM%\kduev.exe File name: %SYSTEM%\kduev.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM%\krl32mainweq.dll File name: %SYSTEM%\krl32mainweq.dll
File type: Dynamic link library
Mime Type: unknown/dll
%SYSTEM%\lsass.exe File name: %SYSTEM%\lsass.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM%\MSlgx.exe File name: %SYSTEM%\MSlgx.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM%\msmgs.exe File name: %SYSTEM%\msmgs.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM%\msnqp.exe File name: %SYSTEM%\msnqp.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM%\mssms.exe File name: %SYSTEM%\mssms.exe
File type: Executable File
Mime Type: unknown/exe
%SYSTEM_DRIVE%\autorun.inf File name: %SYSTEM_DRIVE%\autorun.inf
Mime Type: unknown/inf
%SYSTEM_DRIVE%\resycled File name: %SYSTEM_DRIVE%\resycled
%SYSTEM_DRIVE%\resycled\ntldr.com File name: %SYSTEM_DRIVE%\resycled\ntldr.com
File type: Command, executable file
Mime Type: unknown/com
%SYSTEM_DRIVE%\Users\Manuel File name: %SYSTEM_DRIVE%\Users\Manuel
%WINDOWS%\Tasks\MSWD-1b4abb06.job File name: %WINDOWS%\Tasks\MSWD-1b4abb06.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-27e0d013.job File name: %WINDOWS%\Tasks\MSWD-27e0d013.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-28d8d31d.job File name: %WINDOWS%\Tasks\MSWD-28d8d31d.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-2969d51d.job File name: %WINDOWS%\Tasks\MSWD-2969d51d.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-3e4ae7ad.job File name: %WINDOWS%\Tasks\MSWD-3e4ae7ad.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-4354122e.job File name: %WINDOWS%\Tasks\MSWD-4354122e.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-44fcb0c6.job File name: %WINDOWS%\Tasks\MSWD-44fcb0c6.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-4535c222.job File name: %WINDOWS%\Tasks\MSWD-4535c222.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-469d5901.job File name: %WINDOWS%\Tasks\MSWD-469d5901.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-56802d43.job File name: %WINDOWS%\Tasks\MSWD-56802d43.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-5d240b12.job File name: %WINDOWS%\Tasks\MSWD-5d240b12.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-6145903c.job File name: %WINDOWS%\Tasks\MSWD-6145903c.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-88e4ae02.job File name: %WINDOWS%\Tasks\MSWD-88e4ae02.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-95cf3d27.job File name: %WINDOWS%\Tasks\MSWD-95cf3d27.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-af53409d.job File name: %WINDOWS%\Tasks\MSWD-af53409d.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-b2be9e3f.job File name: %WINDOWS%\Tasks\MSWD-b2be9e3f.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-b868995b.job File name: %WINDOWS%\Tasks\MSWD-b868995b.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-c61509c8.job File name: %WINDOWS%\Tasks\MSWD-c61509c8.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-db3968bf.job File name: %WINDOWS%\Tasks\MSWD-db3968bf.job
Mime Type: unknown/job
%WINDOWS%\Tasks\MSWD-ee6b7301.job File name: %WINDOWS%\Tasks\MSWD-ee6b7301.job
Mime Type: unknown/job
%WINDOWS%\Temp\DAB.tmp File name: %WINDOWS%\Temp\DAB.tmp
File type: Temporary File
Mime Type: unknown/tmp
%WINDOWS%\Temp\tempo-1145640.tmp File name: %WINDOWS%\Temp\tempo-1145640.tmp
File type: Temporary File
Mime Type: unknown/tmp
%WINDOWS%\Temp\tempo-161796561.tmp File name: %WINDOWS%\Temp\tempo-161796561.tmp
File type: Temporary File
Mime Type: unknown/tmp
%WINDOWS%\Temp\tempo-161797121.tmp File name: %WINDOWS%\Temp\tempo-161797121.tmp
File type: Temporary File
Mime Type: unknown/tmp
%WINDOWS%\Temp\tempo-289.tmp File name: %WINDOWS%\Temp\tempo-289.tmp
File type: Temporary File
Mime Type: unknown/tmp
%WINDOWS%\Temp\tempo-394365031.tmp File name: %WINDOWS%\Temp\tempo-394365031.tmp
File type: Temporary File
Mime Type: unknown/tmp
%WINDOWS%\Temp\tempo-394365218.tmp File name: %WINDOWS%\Temp\tempo-394365218.tmp
File type: Temporary File
Mime Type: unknown/tmp
%WINDOWS%\Temp\tempo-44B.tmp File name: %WINDOWS%\Temp\tempo-44B.tmp
File type: Temporary File
Mime Type: unknown/tmp
%WINDOWS%\Temp\tempo-45B.tmp File name: %WINDOWS%\Temp\tempo-45B.tmp
File type: Temporary File
Mime Type: unknown/tmp
%WINDOWS%\Temp\tempo-66D.tmp File name: %WINDOWS%\Temp\tempo-66D.tmp
File type: Temporary File
Mime Type: unknown/tmp
%WINDOWS%\Temp\tempo-76546.tmp File name: %WINDOWS%\Temp\tempo-76546.tmp
File type: Temporary File
Mime Type: unknown/tmp
%WINDOWS%\Temp\tempo-97265.tmp File name: %WINDOWS%\Temp\tempo-97265.tmp
File type: Temporary File
Mime Type: unknown/tmp
%WINDOWS%\Temp\tempo-B7D.tmp File name: %WINDOWS%\Temp\tempo-B7D.tmp
File type: Temporary File
Mime Type: unknown/tmp
%WINDOWS%\Temp\tempo-E2B.tmp File name: %WINDOWS%\Temp\tempo-E2B.tmp
File type: Temporary File
Mime Type: unknown/tmp
%WINDOWS%\vkl_1250424439 File name: %WINDOWS%\vkl_1250424439
%WINDOWS%\vkl_1250424989 File name: %WINDOWS%\vkl_1250424989
%WINDOWS%\vkl_1250425116 File name: %WINDOWS%\vkl_1250425116
%WINDOWS%\vkl_1250425221 File name: %WINDOWS%\vkl_1250425221
%WINDOWS%\vkl_1250425267 File name: %WINDOWS%\vkl_1250425267
%WINDOWS%\vkl_1250425328 File name: %WINDOWS%\vkl_1250425328
%WINDOWS%\vkl_1250733143 File name: %WINDOWS%\vkl_1250733143
%WINDOWS%\vkl_1251463593 File name: %WINDOWS%\vkl_1251463593
%WINDOWS%\vkl_1251734499 File name: %WINDOWS%\vkl_1251734499
%WINDOWS%\vkl_1251745894 File name: %WINDOWS%\vkl_1251745894
%WINDOWS%\vkl_1251803401 File name: %WINDOWS%\vkl_1251803401
%WINDOWS%\vkl_1252481066.exe File name: %WINDOWS%\vkl_1252481066.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1252511207.exe File name: %WINDOWS%\vkl_1252511207.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1252511321.exe File name: %WINDOWS%\vkl_1252511321.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1252765651.exe File name: %WINDOWS%\vkl_1252765651.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1252765671.exe File name: %WINDOWS%\vkl_1252765671.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1252768743.exe File name: %WINDOWS%\vkl_1252768743.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1252768769.exe File name: %WINDOWS%\vkl_1252768769.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1252834079.exe File name: %WINDOWS%\vkl_1252834079.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1252834085.exe File name: %WINDOWS%\vkl_1252834085.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1252968719.exe File name: %WINDOWS%\vkl_1252968719.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1253053752.exe File name: %WINDOWS%\vkl_1253053752.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1253165416.exe File name: %WINDOWS%\vkl_1253165416.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1253165426.exe File name: %WINDOWS%\vkl_1253165426.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1253173827.exe File name: %WINDOWS%\vkl_1253173827.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1253173833.exe File name: %WINDOWS%\vkl_1253173833.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1253181420.exe File name: %WINDOWS%\vkl_1253181420.exe
File type: Executable File
Mime Type: unknown/exe
%WINDOWS%\vkl_1253181421.exe File name: %WINDOWS%\vkl_1253181421.exe
File type: Executable File
Mime Type: unknown/exe
B:\resycled File name: B:\resycled
C:\resycled File name: C:\resycled
D:\autorun.inf File name: D:\autorun.inf
Mime Type: unknown/inf
D:\resycled File name: D:\resycled
D:\resycled\ntldr.com File name: D:\resycled\ntldr.com
File type: Command, executable file
Mime Type: unknown/com
E:\resycled File name: E:\resycled
E:\resycled\ntldr.com File name: E:\resycled\ntldr.com
File type: Command, executable file
Mime Type: unknown/com
F:\autorun.inf File name: F:\autorun.inf
Mime Type: unknown/inf
F:\resycled File name: F:\resycled
F:\resycled\ntldr.com File name: F:\resycled\ntldr.com
File type: Command, executable file
Mime Type: unknown/com
G:\resycled File name: G:\resycled
G:\resycled\ntldr.com File name: G:\resycled\ntldr.com
File type: Command, executable file
Mime Type: unknown/com
H:\resycled File name: H:\resycled
H:\resycled\ntldr.com File name: H:\resycled\ntldr.com
File type: Command, executable file
Mime Type: unknown/com
I:\resycled File name: I:\resycled
I:\resycled\ntldr.com File name: I:\resycled\ntldr.com
File type: Command, executable file
Mime Type: unknown/com
J:\resycled File name: J:\resycled
K:\autorun.inf File name: K:\autorun.inf
Mime Type: unknown/inf
K:\resycled File name: K:\resycled
L:\resycled File name: L:\resycled
M:\resycled File name: M:\resycled
M:\resycled\ntldr.co File name: M:\resycled\ntldr.co
Mime Type: unknown/co
N:\resycled File name: N:\resycled
O:\resycled File name: O:\resycled
P:\resycled File name: P:\resycled
Q:\resycled File name: Q:\resycled
R:\resycled File name: R:\resycled
S:\resycled File name: S:\resycled
T:\resycled File name: T:\resycled
V:\resycled File name: V:\resycled
W:\resycled File name: W:\resycled
X:\resycled File name: X:\resycled
Z:\resycled File name: Z:\resycled

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxxHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer = 85.255.xxx.xxx,85.255.xxx.xxxHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1F5A3FA3-74FB-41DD-AD5B-F8C6C8B3D0EC} NameServer = 85.255.116.86,85.255.112.157HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\[RANDOM] DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxxHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\[RANDOM] NameServer = 85.255.xxx.133,85.255.xxx.xxxHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2B7C04D2-0898-43A3-B374-B7AFA580EA23} NameServer = 93.188.163.113,93.188.161.83

12 Comments

  • cindy parchim says:

    I tried to do this a couple days ago, but did not have any luck. I find it confusing when you state all the files that were created.

  • seneka.sys says:

    have a good day.

  • Mary Paige says:

    My Laptop keeps saying "this web page not available" when going to any site using IE. I use Chrome and I can pull up SOME sites. Could this be DNS Changer? What Do I do to find out?

  • Raymond Glover says:

    On a year-old Dell XPS desktop tower with Windows 7 home. I must have the DNS Changer virus. Cannot go to any website. How do I install another browser to try that? Using my neighbors laptop now due to this. I must find a solution soon so I can return his laptop. Can this antimalware spyhunter remove it?

  • Perry Lewis says:

    I had to go to library to find a solution for this. My PC runs just fine and I can run any program I want but the internet is not connecting. I spent almost 45 minutes on the phone with Comcast and the rep said I needed to use their Mcafee program to scan for viruses that could be blocking the internet. It was not until their supervisor said I could have the FBI DNS Changer on my computer. He told me to go to http://www.dcwg.org but how could I if I do not have internet access. They hung up after my connection was verified as working to the cable modem. I am at wits end here. How can I remove it if I have no internet to go to a fix site or download software to remove it???

  • Freddy says:

    In my opinion, just sloppy computer users were affected by the DNS Changer blackout, I'm sure that people who take care of their PC's security didn't have any problem. I didn't.

  • Cracker Jack says:

    The DNS Changer plague is a good example of why computer users should be careful when it comes to their PCs security! I know a lot of people that clicks on everything they see, get badly infected and still think they are entitled to complaint... just sayin!!!

  • Jeff Deetz says:

    With all the fuss made by the media about this DNS Changer wave, how can still having people that didn't check their computers in order to be on the safe side and avoid countless problems?

  • Ryan Lewis says:

    Lots of information to digest. I just want to remove this bull shi*! DNS Change thing has been messed up on my HP laptop since monday! Can you not get this malware program on a usb thumb and then install and run it from that?

  • Shelly B. says:

    I cannot thank you all enough for your Helpdesk services through Spyhunter. You were able to fix my dilemma and remove DNS Changer. Now have FULL internet access with no issues. You all are a Godsend!

  • frank thompson says:

    i have the fbi porn virus

  • Rahman says:

    Just what the doctor ordered, thaknity you!