dnsChange virus

Discussion in 'Virus Information' started by Øyvind Granberg, Nov 13, 2008.

  1. Øyvind Granberg

    1PW Guest

    We are stealing this thread from one with a huge problem and great need.

    Let's begin another thread.

    Our apologies to all that read are blatherings.
     
    1PW, Nov 14, 2008
    #21
    1. Advertisements

  2. Øyvind Granberg

    ~BD~ Guest

    Hello Øyvind

    I replied to you earlier this morning from Google Groups (supposedly!) but
    cannot now find same via Google. I'd set a 'follow-up' in the hope that my
    message would show up in the 'microsoft.public.security.virus' group which I
    usually view with Outlook Express. It has not (so far) appeared
    ...............

    But I * have* found it here:-
    http://www.pcreview.co.uk/forums/showthread.php?t=3668206

    Scratching head (again!) - Puzzling to me (a user, not a guru!)

    Dave

    --
     
    ~BD~, Nov 14, 2008
    #22
    1. Advertisements

  3. Øyvind Granberg

    ~BD~ Guest

    --

    OK - I'll start a new thread 'Lambs to the slaughter perhaps?' <smile>

    Dave

    --
     
    ~BD~, Nov 14, 2008
    #23
  4. I will... as soon as mr. Lipmans ENORMOUS four step virus killer quest is
    over.
     
    Øyvind Granberg, Nov 14, 2008
    #24
  5. My HiJackThis log do not reveal anything suspecious.
    Not what I can see.
    No item in category #017 i listed.

    Here is teh problem as reported in Malwarebytes:

    Registerfiler infisert:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer
    (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
    Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0bbac451-a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer
    (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
    Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer
    (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
    Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0bbac451-a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer
    (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
    Quarantined and deleted successfully.

    I have deleted them using MBAM and manually deleting these four or six
    entries in the registry.
    No dice!!
    Somewhere there is a file which reestablishing these registry keys again.
    Where?

    --

    Vennlig hilsen
    Øyvind Granberg


    www.tresfjording.com
     
    Øyvind Granberg, Nov 14, 2008
    #25
  6. Øyvind Granberg

    Peter Foldes Guest

    And while it is running you are using the computer to post here among other things. Wonderful
     
    Peter Foldes, Nov 14, 2008
    #26
  7. From: "Øyvind Granberg" <>

    | My HiJackThis log do not reveal anything suspecious.
    | Not what I can see.
    | No item in category #017 i listed.

    | Here is teh problem as reported in Malwarebytes:

    | Registerfiler infisert:
    | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer
    | (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
    | Quarantined and deleted successfully.
    | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{
    | 0bbac451-a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer
    | (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
    | Quarantined and deleted successfully.
    | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer
    | (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
    | Quarantined and deleted successfully.
    | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0bbac451-
    | a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer
    | (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
    | Quarantined and deleted successfully.

    | I have deleted them using MBAM and manually deleting these four or six
    | entries in the registry.
    | No dice!!
    | Somewhere there is a file which reestablishing these registry keys again.
    | Where?

    Assuming you SOHO Router is at; 192.168.1.1

    Go into your router; http://192.168.1.1 and examine the DNS entries.
     
    David H. Lipman, Nov 14, 2008
    #27
  8. To be honest David, I didn't ever see that post to this poster
    where you suggested the usual expert route. I *did* see the
    post by Malke where it is suggested to try your tool.

    I thought it was strange at the time, but assumed the post you
    referred to was in a another group or thread which I am not
    monitoring.

    ....the way these web to usenet gateways seem to mess up the
    threading and the way the posters change subjects mid thread
    make it all a jumble.

    ....and then there's ~BD~ who does it on purpose.
     
    FromTheRafters, Nov 14, 2008
    #28
  9. From: "FromTheRafters" <>



    | To be honest David, I didn't ever see that post to this poster
    | where you suggested the usual expert route. I *did* see the
    | post by Malke where it is suggested to try your tool.

    | I thought it was strange at the time, but assumed the post you
    | referred to was in a another group or thread which I am not
    | monitoring.

    | ...the way these web to usenet gateways seem to mess up the
    | threading and the way the posters change subjects mid thread
    | make it all a jumble.

    | ...and then there's ~BD~ who does it on purpose.


    Posted in; alt. comp. anti-virus
    Post subject: Re: I can't download...
    Date; Sunday, November 09, 2008 3:01 PM

    He posted (my time) at 2:54 PM just minutes befor posting

    Posted in; microsoft.public.security.virus
    Post Subject: Do I have a virus?
    Date: Sunday, November 09, 2008 2:58 PM

    Basically your Multi-Post with two different subjects.
     
    David H. Lipman, Nov 14, 2008
    #29
  10. Øyvind Granberg

    BoaterDave Guest

    --

    Hi FTR - I posted this item from OE at 2233GMT - it still has not
    shown up. Trying again from Google.


    I couldn't find it either to begin with. It was 'hiding' in
    alt.comp.anti-virus

    It would have been helpful to have dad a copy placed in
    'microsoft.public.security.virus' at the outset - IMO

    This is it :-

    *******************************************

    From: "Øyvind Granberg" <>

    | Hi...


    | There is a virus in my computer. I am convinced about that.
    | I cannot download anything concerning updates to Ad-Aware or Spybot.
    | I cannot download anything at all from Microsoft.com like the
    Outlook
    | Connector or anything else I've tried.
    | Neither can I download the afore mentioned files from these sites
    with
    FF3,
    | Google Chrome or Opera 9.26.


    | When browsing using IE8, I get a message stating that a pop up has
    been
    | prenvented. Even on my own web pages where there is no pop up at
    all.


    | Something is preventing me from downloading anything that I can use
    to
    | remove it!?!?!


    | I need help...


    | Tried Bitdefender's online scanner and even that couldn't update it
    | definition file.


    | What is wrong, and how can I get rid of it?


    | --


    | Vennlig hilsen
    | Øyvind Granberg


    |
    | www.tresfjording.com


    Download and execute HiJack This! (HJT)
    http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe


    Then post the contents of the HJT log in your post in one of the
    below
    expert forums...


    { Please - Do NOT post the HJT Log here ! }


    Forums where you can get expert advice for HiJack This! (HJT) Logs.


    NOTE: Registration is REQUIRED in any of the below before posting a
    log


    Suggested primary:
    http://www.thespykiller.co.uk/index.php?board=3.0


    Suggested secondary:
    http://www.bleepingcomputer.com/forums/forum22.html
    http://castlecops.com/forum67.html
    http://www.malwarebytes.org/forums/index.php?showforum=7


    Suggested tertiary:
    http://www.dslreports.com/forum/cleanup
    http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
    http://www.atribune.org/forums/index.php?showforum=9
    http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Her...
    http://gladiator-antivirus.com/forum/index.php?showforum=170
    http://forum.networktechs.com/forumdisplay.php?f=130
    http://forums.maddoktor2.com/index.php?showforum=17
    http://www.spywarewarrior.com/viewforum.php?f=5
    http://forums.spywareinfo.com/index.php?showforum=18
    http://forums.techguy.org/f54-s.html
    http://forums.tomcoyote.org/index.php?showforum=27
    http://forums.subratam.org/index.php?showforum=7
    http://www.5starsupport.com/ipboard/index.php?showforum=18
    http://aumha.net/viewforum.php?f=30
    http://makephpbb.com/phpbb/viewforum.php?f=2
    http://forums.techguy.org/54-security/
    http://forums.security-central.us/forumdisplay.php?f=13
     
    BoaterDave, Nov 14, 2008
    #30
  11. Thanks, I suspected as much.
     
    FromTheRafters, Nov 15, 2008
    #31
  12. Øyvind Granberg

    ~BD~ Guest

    Hello again Øyvind - How are things going?

    Have you had to wield your mighty sword yet? <grin>

    Dave

    --
     
    ~BD~, Nov 16, 2008
    #32
  13. Øyvind Granberg

    ~BD~ Guest

    Maybe this will help <smile>

    (A post by Bill Castner of Aumha.net
    http://www.aumha.net/viewtopic.php?f=30&t=36886 )

    ********************************************

    There is a widespread DNS Hijacker going around that requires unusual
    measures to resolve. By posting this in a single and editable location, it I
    hope is a convenience to both me, and the Forum.

    How Do You Know If You Have This Malware Infection?
    While the adware it will popup is aggressively more so than typical adware
    infections, the DNS redirection is easy to test.
    Try the following in your Browser address bar:

    download.microsoft.com

    If you end up anywhere other than the official Microsoft Download Center,
    keep reading. For all others, you may have something else.

    So Now What?

    1. Create a "tookit". Download the following to your Desktop and not any
    other location or Folder:

    GMER: http://www.gmer.net/index.php
    Malwarebytes Anti-Malware -- MBAM (if you have this installed, Uninstall it
    and download it again): http://www.malwarebytes.org/mbam.php
    PrevX CSI: http://www.prevx.com/freescan.asp

    2. Run MBAM. If it wants to reboot when finished, do so.
    3. Run Prevx CSI. If it wants to reboot when finished do so.
    4. Make sure you know the setup information for your router. You want to
    access the router configuration pages, and write down any information
    necessary to authenticate with your ISP. Please write this down, if you do
    not have a record elsewhere of this information. When in doubt, call your
    ISP and ask what is needed in the authentication fields of the router.
    4. Shut down your computer, and any other computer connected to your router.
    5. On the back of the router, there should be a small hole or button
    labelled RESET. Using a bent paper clip or similar item, hold that in
    continuously for twenty seconds. Unplug the router. Wait sixty seconds. Now
    holding again the reset button, plug it back in. Continue holding the reset
    button for twenty seconds. Unplug the router again.
    6. With the router unplugged, start your computer. Run MBAM again.
    7. Run Prevx CSI again.
    8. Connect again to the router. The turn the router back on. When it
    stabilizes, reboot your workstation and try to aceess the internet. If you
    have any issues, access the Router configuration page and re-enter your
    authentication information.
    9. Reboot the workstation and do a final test.

    Special Note and Reading List:

    Several folks have asked why they have to RESET the router. And how on earth
    could malware effect the router in the first place? There are, that I have
    seen in the last week, in wide distribution, at least four malware
    infections, one rootkit-based, that at present do exactly this; and have
    since the last week in October. As to how this can be done, please read this
    short Article: http://www.geekstogo.com/2008/04/08/hav ... read-this/

    Does this mean you throw out your router and replace it? No. You do at least
    the RESET operation I described above. If you are exceedling cautious about
    the matter, visit your router manufacturer's website and download the newest
    firmware release for your router. Then reflash the router firmware. Since
    there are literally thousands of router models out there, I cannot advise
    you about how to reflash your router firmware. The manufacturer's website
    should have utilities and instructions for doing so. I cannot answser any
    specific questions as to how to do this. In most cases, I consider a reflash
    of the firmware unnecessary.
     
    ~BD~, Nov 16, 2008
    #33
  14. From: "~BD~" <~BD~@no.mail.afraid.com>


    < snip >

    | Several folks have asked why they have to RESET the router. And how on earth
    | could malware effect the router in the first place? There are, that I have
    | seen in the last week, in wide distribution, at least four malware
    | infections, one rootkit-based, that at present do exactly this; and have
    | since the last week in October. As to how this can be done, please read this
    | short Article: http://www.geekstogo.com/2008/04/08/hav ... read-this/

    | Does this mean you throw out your router and replace it? No. You do at least
    | the RESET operation I described above. If you are exceedling cautious about
    | the matter, visit your router manufacturer's website and download the newest
    | firmware release for your router. Then reflash the router firmware. Since
    | there are literally thousands of router models out there, I cannot advise
    | you about how to reflash your router firmware. The manufacturer's website
    | should have utilities and instructions for doing so. I cannot answser any
    | specific questions as to how to do this. In most cases, I consider a reflash
    | of the firmware unnecessary.


    What is NOT mentioned and should have been is that the SOHO Router should be enabled with
    a Strong Password.

    I agree that flashing the Router's FirmWare is not needed.
     
    David H. Lipman, Nov 16, 2008
    #34
  15. Øyvind Granberg

    ~BD~ Guest

    FYI David - I've just finished a scan with the Windows Live Safety Scanner

    There were some minor Registry errors but of more concern was notification
    of the presence of 'Trojan Win32/AgentBypass.gen!k' details of which I found
    here:-
    http://onecare.live.com/site/en-gb/virusenc/VirusEncInfo.htm?virusname=Trojan%3aWin32%2fAgentBypass.gen!K

    Port 80 was also found Open.

    The price of experimentation I suppose! <s>

    Dave
     
    ~BD~, Nov 16, 2008
    #35
  16. Hi !!

    I am glad to inform you that I have taken care of the Zlob.dnschanger
    trojan. It's a trojan and therefore not contageous as viruses are. You have
    to taken some action yourself in order to get it.

    It has changed the configuration in my Linksys wireless router to detour all
    traffic to their pages.
    Se this link for mor info:
    http://tresfjording.com/docs/2008-11-16_165353.png

    All I did was to log on to the router, change all numbers in all three
    Static DNS #1, 2 and 3 to null.
    Then I changed the password... very important!

    After that I ran Malwarebyte Anti Malware and it found two instances of
    malware which it successfully removed.

    This procedure fixed all eight laptops and the desktop in the household.

    This information for your convenience!

    This is a fairly new method of messing up your computer and it takes
    advantage of sloppy wireless router owner still running behind the well
    known factory password. Also if you like me accidently tap in the info when
    a dialog box asks for it, please kick yourself in the butt! Hard!

    Then trojan reports computer activity and keyloggs to its principals.

    I am glad I worked it out.

    All systems green still five hours after the cleaning....

    Have a nice day!


    --

    Vennlig hilsen
    Øyvind Granberg


    www.tresfjording.com

    "The only thing between me and my goals is my own ignorance"
    (granberg - 2008)
     
    Øyvind Granberg, Nov 17, 2008
    #36
  17. The problem is that it changes the DNS entries in your wireless router, not
    your ADSL router, and every time MBAM deleted registry entries, it reintated
    them through the web pages those new DNS adresse pointed to.

    See my latest reply to this thread and spred the word.

    --øg--
    A not so perturbed Norwegian Viking!
    My sword is still sharp... :)
     
    Øyvind Granberg, Nov 17, 2008
    #37
  18. From: "Øyvind Granberg" <>

    | The problem is that it changes the DNS entries in your wireless router, not
    | your ADSL router, and every time MBAM deleted registry entries, it reintated
    | them through the web pages those new DNS adresse pointed to.

    | See my latest reply to this thread and spred the word.

    Wired or wireles... NO DIFFERENCE!

    As I stated a SOHO Router. SOHO -- Small Office Home Office.

    As I posted earlier, the DNSChanger injects a DLL into the Windows Spooler Service. The
    Spooler Service is restarted and it communicates to the Router. It doesn't make a
    difference if you are wred throufg a RJ45 Ethernet port or if you attached wirelessly.
    The Spooler Service is hijacked (so to speak) and communicates to the router such as
    192.168.1.1 It will then use a dictionary of known passwords (or other methodology) to
    gain access to the Routers DNS entrries. Once the DNSChanger modifies the DNS table of
    the Router any node that obtains an IP address from the Router via DHCP will gain the DNS
    entries the trojan has entered. Thus *any* device that obtains a DHCP lease from the
    Router will be using the DNS entries the trojan has inserted.

    There are Routers that combine a DSL modem with a Router such as a a Westell 6100 and
    there are standalone Routers from DLink, Linksys, Netgear, etc. All are affected IFF the
    user uses the manufacturers default password.

    As of yet, I have not heard of uPnP or protocols being used to bypass authentication at
    TCP port 80.
     
    David H. Lipman, Nov 17, 2008
    #38
  19. Øyvind Granberg

    Leythos Guest

    If you had disabled UPNP, not used the default network subnet, not used
    the default password or not provided the password to some program, it
    could not have changed it.

    Disable UPNP, change from 192.168.0.1 to 192.168.128.1 on the router,
    change the password, update the firmware if possible.
     
    Leythos, Nov 17, 2008
    #39
  20. I'll look into that...


    --

    Vennlig hilsen
    Øyvind Granberg


    www.tresfjording.com
     
    Øyvind Granberg, Nov 17, 2008
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.