DNSchanger trojan?

[tvout]

Hi all,
Not sure how many of you may have encountered this but I've now seen it on both my gf's laptop and her parents home PC.

Basically, you go to a supposedly secure site like ebay or a banking site and it brings up a form asking for security information.

Obviously you should never give such info out over e-mail etc but in both cases you would type in the address of the site and it looks like it should do when it loads but then when you enter your user id and password you then get a dodgy web page.
In the instance I was looking at yesterday it was on the Lloyds TSB site, after logging in it then asked for security information including ATM pin code and the security code on the back of the debit card!
It showed the Lloyds web address in the address bar and everything else seemed as normal.
I ran HijackThis, Spybot and checked the Hosts file and although Spybot got rid of tons of stuff this remained.
Installed Firefox and went to the Lloyds website and it didn't bring up this dodgy screen.
Anyone know anything about this if it is a DNSchanger or something and how best to remove it? I tried various AV/Malware/Spyware Programs previously and it never seemed to go. I'm thinking I'd have to manually hack the TCPIP/DNS entries in the registry...

[Matty_]

Combofix along with Malwarebytes is able to get rid of this nasty trojan/rootkit.

Go to http://www.bleepingcomputer.com/combofix/ but be careful if you go it alone, read the tutorial a couple of times. You should ideally use it under guidance as it can brick your system if you make a wrong move.
Just be carefull allthough it`s worth trying as i would not do any online activity which involves passwords until it gave the all clear(or you formatted)

Also if you do download combofix make sure it is from the above site of from forospyware.com
There are a few sites with combofix in the name that are not legit

[tvout]

Cheers, I hadn't heard of combofix before. Much appreciated