Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.DNSChanger


  • Please log in to reply
9 replies to this topic

#1 kurtok

kurtok

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 05 January 2009 - 04:49 AM

Hi!

Like many others I am infected by Trojan.DNSChanger. I have a cable network served by router D-Link 604 connected to a cable broadband Internet provider. I run XP Pro on two computers in the network and both are infected by the Trojan. I also run Panda Antivirus Pro which couldn´t remove the trojan as well several other antivirus program couldn´t neither! I have a mild attack according to Panda Support who couldn´t help but gave good words on Bleeping Computer ("well established security experts").

I have downloaded Smitfraudfix, Malwarebytes' Anti-Malware and HiJackThis in order to be prepared for help advice. Please also tell me if I should treat both computers in the same way. Please help!

A closer description of the trojan, its effect and attack ways should be interesting (or a link to such description).

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:13 AM

Posted 05 January 2009 - 08:06 AM

The following reset procedure will completely restore the default settings on your D-Link device including your password. This procedure applies to the DI-514, DI-524, DI-604, DI-614+, DI-624, DI-754, DI-764, DI-774, DI-784, DI-804V, DWL-700AP, DWL-800AP+, DWL-900AP+, DWL-1000AP+, DWL-2000AP, DWL-2100AP, DWL-6000AP, DWL-7000AP, and DWL-7100AP.

Step 1 Locate the reset pinhole on the back of the unit.

Step 2 With the unit powered on, press and hold the Reset button.

Step 3 Hold the Reset button for about 10 seconds.

Step 4 Release the Reset button.

Step 5 The unit will reboot. Allow 20-30 seconds before reconnecting.

Step 6 The device is now at factory defaults.

Note: Do not recycle power during the reset procedure.

The default user name for most D-Link devices is admin and the password is left blank.
When it says hold for about 10 seconds, don't hold for more than ten seconds or the procedure will likely fail, if ten seconds doesn't work try 5 seconds.


Some of these infections spread accross your lan by router infection, the trojan sets your router to reinfect you even after a reformat of the computer, reset the router to fctory defaults and then setting a strong password prevents this.

I would suggest using a clean computer to protect the router and having it disconnected from the internet
Chewy

No. Try not. Do... or do not. There is no try.

#3 kurtok

kurtok
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 05 January 2009 - 10:03 AM

Hi Chewy!

Thanks for fast reply! I followed the procedure and recide now behind an uninfected computer and a resetted D-Link 604. I am connected to Internet via my original ISP through the router.

What next?

Can I now connect my router tö the infected computers?

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:13 AM

Posted 05 January 2009 - 03:32 PM

Did you set a strong password for the router that the infection can't break?

If so the router should be secure from reinfection by infected computers

Would you post a new MBAM log please

Are there any signs of infection?
Chewy

No. Try not. Do... or do not. There is no try.

#5 kurtok

kurtok
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 05 January 2009 - 03:53 PM

What do you mean with strong password? I used 6 positions, letter and numbers. 32 bits according to a password storage cold KeePass (which reach with a sentence of 11 letters). Awaiting your reply.

#6 kurtok

kurtok
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 05 January 2009 - 04:59 PM

Disregard the above Q.

I found Strong Password Standard dated jan 10, 2005. Changed my routerpassword in accordance with the guidelines which gives me a password 60 bits strong. Hope it´s suffiencent.

The requested answer and log comes later.

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:13 AM

Posted 05 January 2009 - 06:50 PM

AFAIK the trojans just use easy to guess passwords so far, blank, 123456, 98765 etc

A hacker with a suitable program can break most anything but that's a different story
Chewy

No. Try not. Do... or do not. There is no try.

#8 kurtok

kurtok
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 06 January 2009 - 02:42 AM

Chewy!

Sorry, I forgot to change language but maybee you can understand the log anyhow as the structure would be the same. Otherwise ask me for a new one. I know the rules of language in the forum so I hope I don´t repeat the misstake!

Sign of infections? I havn´t and hadn´t much sign of infections but a slower computer. Sometimes I found emty advertisment windows behind the browser (easily removable), maybee that is a sign also?

How about my other computer? Need a log from that too?

Malwarebytes' Anti-Malware 1.31
Databasversion: 1596
Windows 5.1.2600 Service Pack 2

2009-01-06 08:12:38
mbam-log-2009-01-06 (08-12-12).txt

Skanningstyp: Fullständig skanning (C:\|D:\|E:\|F:\|)
Antal skannade objekt: 344486
Förfluten tid: 2 hour(s), 17 minute(s), 22 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 2
Infekterade mappar: 0
Infekterade filer: 0

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.109 85.255.112.238 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{6c26d838-9262-4635-bdbf-074f4acd9a21}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.109 85.255.112.238 -> No action taken.

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
(Inga illasinnade poster hittades)

Edited by kurtok, 06 January 2009 - 02:45 AM.


#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:13 AM

Posted 06 January 2009 - 08:28 AM

I need to see scans from a fully updated MBAM, they are up to version 1.32 with better detection/heuristic
Chewy

No. Try not. Do... or do not. There is no try.

#10 kurtok

kurtok
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 07 January 2009 - 03:44 AM

Hi Chewy!

SUCCESS!

My computers seems to be free from trojans and other nasty things! mbam log shows cleen computers and they function OK.

I am very grateful for the advices and guidances given to me. I hope that others in the same situation as me can solve their problems by reading this discussion.

Thank you again Chewy. I enclose the latest mbam log and maybe, after a final comment by you, the discussion can be closed.

Malwarebytes' Anti-Malware 1.32
Database version: 1625
Windows 5.1.2600 Service Pack 2

2009-01-07 06:01:39
mbam-log-2009-01-07 (06-01-39).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 347463
Time elapsed: 2 hour(s), 16 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users