dnsChange virus

Discussion in 'Virus Information' started by Øyvind Granberg, Nov 13, 2008.

  1. Hi...

    As a continuance of the thread "Do I have a virus?"

    Well it's back. The Trojan.DNSChanger virus has really never left the
    building.
    I have downloaded and paid for software called Malwarebytes and it finds six
    instances of this virus.
    I choose to remove them, and the software wants to restart my computer.
    After reboot, a rerun of Malwarebytes shows that my system is clean.
    Then IE8 is started. All of a sudden I cannot connect to any website, not
    even google
    A new run of Malwarebytes reveals yet another six instances of the same
    virus.

    A checkup on all other computers in the household tells a tale of a massive
    outburst.

    I've got my ISP to reset the ADSL router, much against his beliefs, but no
    fix.

    I am running, amongst others, a self built Windows Vista Ultimate based pc,
    with all updates, and all security measures running.
    AVG 8
    Windows Defender
    A weekly run of Spybot and Adaware
    I reckon if I can clean this computer I can easily fix the others.

    What am I doing wrong here?
    Is this Malwarebyte a hoax?


    --

    Vennlig hilsen
    Øyvind Granberg


    www.tresfjording.com
     
    Øyvind Granberg, Nov 13, 2008
    #1
    1. Advertisements

  2. Are you running as admin and do you have UAC disabled?
    (but aside from that "all security measures running")
    You want a list?
    No, it is a good application.

    This malware is extremely sticky - check for rootkit activity.
     
    FromTheRafters, Nov 13, 2008
    #2
    1. Advertisements

  3. Øyvind Granberg

    Kayman Guest

    Malwarebytes' Anti-Malware is a good-quality bona fide application.
    After the software is updated try scanning in safe mode.
    How do you boot to Safe Mode?
    By pressing/tabbing F8 (or F5 on some keyboards) during re-boot.
    A description of the Safe Mode Boot options in Windows XP
    http://support.microsoft.com/default.aspx?scid=315222
    Start your computer in safe mode (Vista)
    http://windowshelp.microsoft.com/Windows/en-us/help/323ef48f-7b93-4079-a48a-5c58eec904a11033.mspx
    http://www.bleepingcomputer.com/tutorials/tutorial61.html
    Alternatively:
    click onto Start==>Run, type "msconfig" (without quotation marks), click
    OK. Then click onto BOOT.INI tab and 'check' /SAFEBOOT then OK and click
    Restart. To go back to Normal Mode, you must access the System
    Configuration utility again and click the General tab then click/check the
    radio button 'Normal Startup'- load all device drivers and services'.

    Not successful?

    Download/execute:
    David H. Lipman's MULTI_AV Tool
    http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
    http://www.pctipp.ch/downloads/dl/35905.asp
    English:
    http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/
    Additional Instructions:
    http://pcdid.com/Multi_AV.htm
    and/or
    Kaspersky's AVPTool
    http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/
    --or--
    http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
    --or--
    http://ftp.kaspersky.com/devbuilds/AVPTool/
    There's no updating involved since the scanning engine is updated several
    times a day and you simply download the updated scanner whenever you want
    to do a scan. Uninstall after use. To uninstall/move this program "enable
    self-defense' must be unchecked!
    --and/or--
    Dr.Web CureIt!® Utility - FREE
    http://www.freedrweb.com/cureit/
    --and--
    SuperAntispyware - Free
    http://www.superantispyware.com/superantispywarefreevspro.html

    Scan in normal and safe mode.

    Then download and execute HiJack This! (HJT)
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

    Please, do not post HJT logs to this newsgroup.
    Fora where you can get expert advice for HiJack This! (HJT) logs.

    http://www.thespykiller.co.uk/index.php?board=3.0
    http://www.spywarewarrior.com/viewforum.php?f=5
    http://forums.tomcoyote.org/index.php?showforum=27
    http://www.bleepingcomputer.com/forums/forum22.html
    http://www.malwarebytes.org/forums/index.php?showforum=7
    http://www.5starsupport.com/ipboard/index.php?showforum=18
    http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29

    NOTE:
    Registration is required in any of the above mentioned fora before posting
    a HJT log and read the 'stickies' (instructions/guidelines) for the
    respective HJT forum.

    Routinely practice Safe-Hex.
    http://www.claymania.com/safe-hex.html
    Hundreds Click on 'Click Here to Get Infected' Ad
    http://www.eweek.com/article2/0,1895,2132447,00.asp

    Good luck :)
     
    Kayman, Nov 13, 2008
    #3
  4. ....before you ask

    http://searchenterprisedesktop.techtarget.com/tip/0,289483,sid192_gci1086476,00.html
     
    FromTheRafters, Nov 13, 2008
    #4
  5. Øyvind Granberg

    ~BD~ Guest

    I'm saddened to learn that you have a continuing problem, OG.

    You said "Then IE8 is started"

    IE8 is in Beta - advice I've had says that you must expect problems if you
    use an 'un-finished' product. I suggest you uninstall IE8 and try to revert
    to IE7.

    I've enjoyed browsing your web site btw! :)

    Just to rub salt into the wound, you didn't need to pay anything to download
    and use Malwarebytes on a one-off basis (i.e. not continuous protection).

    If you have a rootkit, rather than try to find and kill it, I'm sure it will
    be much quicker for you to 'Flatten and Rebuild'. If you have access to the
    Internet, you may 'enjoy' reading through a thread I started earlier this
    year, still available on Google, here:-

    http://groups.google.co.uk/group/microsoft.public.security.virus/browse_thread/thread/5779fa422ba9af96/ee5f99b403a1e451?hl=en&lnk=gst&q=I've+done+both+of+these+'silly+things'!+#ee5f99b403a1e451

    My subsequent discussions now lead me to believe that one needs to clear the
    CMOS and probably flash the BIOS too if one wants to be sure of a clean
    machine.

    Good luck!

    Dave
     
    ~BD~, Nov 13, 2008
    #5
  6. From: "Øyvind Granberg" <>

    | Hi...

    | As a continuance of the thread "Do I have a virus?"

    | Well it's back. The Trojan.DNSChanger virus has really never left the
    | building.
    | I have downloaded and paid for software called Malwarebytes and it finds six
    | instances of this virus.
    | I choose to remove them, and the software wants to restart my computer.
    | After reboot, a rerun of Malwarebytes shows that my system is clean.
    | Then IE8 is started. All of a sudden I cannot connect to any website, not
    | even google
    | A new run of Malwarebytes reveals yet another six instances of the same
    | virus.

    | A checkup on all other computers in the household tells a tale of a massive
    | outburst.

    | I've got my ISP to reset the ADSL router, much against his beliefs, but no
    | fix.

    | I am running, amongst others, a self built Windows Vista Ultimate based pc,
    | with all updates, and all security measures running.
    | AVG 8
    | Windows Defender
    | A weekly run of Spybot and Adaware
    | I reckon if I can clean this computer I can easily fix the others.

    | What am I doing wrong here?
    | Is this Malwarebyte a hoax?

    First, the DNSChanger is NOT a virus. It is a Trojan and a close relative of the Zlob.
    Second, the new breed of the DNSChanger will inded alter the DNS settings of SOHO Routers.
    One *must* change the default password to a strong password.

    What I have seen, in the sample I recently tested, is that the DNSChanger injects a DLL
    into the Spooler service. The Spooler Service is then restarted and will communicate with
    a SOHO Router with a weak password or the default password and it will then alter the SOHO
    Router as such affecting your ability to access web sites.

    Several days ago I suggested that you post in an Expert Forum.

    You apparently failed to do so and thats why you are STILL having problems.

    Again I state... This is NOT a virus.
     
    David H. Lipman, Nov 13, 2008
    #6
  7. From: "~BD~" <~BD~@nomail.afraid.com>



    | My subsequent discussions now lead me to believe that one needs to clear the
    | CMOS and probably flash the BIOS too if one wants to be sure of a clean
    | machine.

    | Good luck!

    | Dave

    /* Absolutely NOT needed. */

    Please stay out of this dicussion. You don't understand the problem nor the trojan's
    activity nor understand the workings of the hardware's interaction with the OS concerning
    the BIOS and CMOS.
     
    David H. Lipman, Nov 13, 2008
    #7
  8. You sound like my wife :)
    Why I'm asking this is because it don't seem to woirk right. It finds the
    trojan, baut the registry entries remains after the fix.
    I downloaded RootkitRevealer, but it coudn't find anything.



    -- Øyvind G. --
     
    Øyvind Granberg, Nov 13, 2008
    #8
  9. First of all, why should I install Kapersky or Sophos or McAfee or what ever
    when I do have AVG 8 installed?

    Secondly, paying ?20-50 for every malware remover on the net i not my way of
    spending a thursday night. :)

    But I am working my way through your list...

    --øg--
     
    Øyvind Granberg, Nov 13, 2008
    #9
  10. Øyvind Granberg

    Kayman Guest

    Implement Countermeasures against DNSChanger.
    http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html
     
    Kayman, Nov 13, 2008
    #10
  11. Use my Remove-it software, it will remove that malware from your system.
    Choose yes for all options when prompted. Download it here
    http://pcbutts1.com/downloads/tools/tools.htm Use the email link on that
    page to send me a copy of the MBAM log.
     
    The Real Truth MVP, Nov 13, 2008
    #11
  12. Thank you ~BD~ for those kind words. Glad you liked my website :)

    I will reset the CMOS and BIOS at next reboot.

    I am opposed to reinstalling the OS. That is a solution I turnde to i the
    past.
    I reformatted my first computer back in the late eighties. I thought it was
    THE solution in the nineties.
    This decade the procedure makes me physically sick... hehe...

    But after cleaning the registry, deleting files (autorun.inf) and folders
    (\resycled) the regitry keys rebuilt themselves.
    Somewhere there has to be a file that is run at startup, or when I start IE.
    I will now revert to IE7 and flush CMOS and reset BIOS during restart.

    BRB


    --

    Vennlig hilsen
    Øyvind Granberg


    www.tresfjording.com
     
    Øyvind Granberg, Nov 14, 2008
    #12
  13. Øyvind Granberg

    Kayman Guest

    Whenever I jump of an aircraft in mid-flight I *always* carry a second
    parachute...
    None of the applications cost a dime; they are FREE! (Even Malwarebytes
    comes in a free version).
    Implement Countermeasures against DNSChanger.
    http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html
     
    Kayman, Nov 14, 2008
    #13
  14. Øyvind Granberg

    1PW Guest

    On 11/13/2008 10:33 AM, ~BD~ sent:

    Snip, snip...
    Hello Dave:

    It is quite easy to take what we discussed, in the other thread, out of
    context. Extreme measures are not indicated in many instances. Good
    judgment, must be coupled with experience. Also, reburning the BIOS
    does come with its own set of risks of failure. The motherboard is
    clearly at risk. If the above malware is clearly hard disk drive
    resident, the risk/benefit ratio of reburning the BIOS is clearly not on
    the side of the system's tech/owner/user.

    A proper assessment/diagnosis must precede the proper corrective
    action.
     
    1PW, Nov 14, 2008
    #14
  15. Your procedure involves hundres of MB's to download.
    Aren't we here shooting sparrow with cannons?

    --

    Vennlig hilsen
    Øyvind Granberg


    www.tresfjording.com
     
    Øyvind Granberg, Nov 14, 2008
    #15
  16. Øyvind Granberg

    ~BD~ Guest

    --

    Hello again, Pete :)
    I've still not worked out what this code means (busy doing other things
    today!) <grin>

    I fully appreciate your comments and I'm sure Øyvind Granberg will
    understand too. Having reviewed his web site and absorbed a notion of his
    experience with computers, I'm equally sure that he, just like me, will wish
    to experiment and try to solve his problems himself - without resorting to
    employing a 'professional' (as it seems you once were!).

    You say "A proper assessment/diagnosis must precede the proper corrective
    action". I fully accept this. With your wealth of experience, where would
    *you* recommend one might go on the Internet.to achieve this objective?

    Why do I ask you? You are one of the few folk on these MS security
    newsgroups who has taken a great deal of time and trouble to help me better
    understand these technical matters (FromTheRafters has been another
    recently - thanks FTR). I do not profess, nor ever have, to be knowledgeable
    about computers. That doesn't mean that I am stupid and ignorant ....... as
    some here would have you believe!

    I did not come to these groups to solve my malware problems, rather to
    investigate how, and by whom, machines are infected in the first place. I
    basically trust no-one and don't believe something simply because it is
    showing on a screen in front of me. Nor do I blindly follow 'instructions'
    from any Tom, Dick or Harry (or even David H Lipman - whose credentials are
    completely unknown - yet who struts around these groups as if he is Lord of
    the manor!).

    The average guy who proceeds to a forum, downloads all manner of magical
    programmes to help fix his /her PC (under instruction, of course) will have
    absolutely no idea if their machine has *really* been cleaned - as long as
    it 'works', that will be sufficient. Lambs to the slaughter perhaps? <smile>

    Thanks for listening,

    Dave
     
    ~BD~, Nov 14, 2008
    #16
  17. Taking the easy road is how you got into this mess. David has
    given you good direction, and it will be good practice for the
    next time.
     
    FromTheRafters, Nov 14, 2008
    #17
  18. Øyvind Granberg

    Peter Foldes Guest

    Øyvind

    You are exactly in the same boat as to the one you are answering too. Be careful it might sink. Learn to listen
     
    Peter Foldes, Nov 14, 2008
    #18
  19. But *I* appreciate your sense of humor. :eek:D
     
    FromTheRafters, Nov 14, 2008
    #19
  20. From: "Øyvind Granberg" <>

    | Your procedure involves hundres of MB's to download.
    | Aren't we here shooting sparrow with cannons?

    My procedure was for you to post in and Expert Forum and i don't see how it would require
    hundred of MB's of download.

    If you are talking about my Multi AV Scanning Tool, I never suggested you use it.
     
    David H. Lipman, Nov 14, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.