Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential Rogue DNS


  • This topic is locked This topic is locked
7 replies to this topic

#1 dexter_k

dexter_k

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 06 April 2010 - 01:14 AM

Hi all,

Usually I tend to find these problems quite easy to fix when i'm fixing everyone else's machine but i'm struggling with sorting my own (how ironic). I believe I have a rogue DNS on my machine but can't shift it. I have run malwarebytes, antivir, spybot S&D, Combofix and Vundofix in search of something but found nothing. I've attached the files as requested in the instructions bit, but I can't enable firewall as i'm being told theres an error (probably associated with my problems)

I can't access Google Chrome at all, the page just hangs when trying to access a site. IE8 does work, albeit when linking from Google, the majority of the time, I am redirected to another site.

Incidentally, the 'suspicious modification' on atapi.sys was of my own doing and was done on the advice of someone on this forum. This caused no improvement but didn't make it any worse

Many thanks in advance all
Dex

Attached Files


Edited by dexter_k, 06 April 2010 - 02:59 PM.
Moved from XP ~BP


BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:01:27 AM

Posted 09 April 2010 - 10:43 AM

Hello

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate. In addition, since I am still in training all of my responses have to be reviewed by our excellent expert staff so there may be a delay in response time. The advantage is that your log will be evaluated by two sets of eyes and two brains.

If you haven't already, you can keep the link to this topic in your Favorites. Alternatively, you can click the Options button at the top bar of this topic and Track this Topic, where you can choose email notifications.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Again, keep in mind that it may take a couple of days or more before I can reply but once we get started the process should speed up.

Thank you for your patience!!
PW

#3 dexter_k

dexter_k
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 09 April 2010 - 12:59 PM

Hi PW,

Unfortunately, i've since run diagnostic tools but the problem remains so i'll re-run the tests and upload them in the next hour

Thanks
Dexter
*************EDIT***************
Here are the latest logs

Attached Files


Edited by dexter_k, 09 April 2010 - 01:09 PM.


#4 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:01:27 AM

Posted 10 April 2010 - 11:55 AM

Hello dexter_k,

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to continue with cleaning please do the following:

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. <----Important
    Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

In your next reply please let me know of your decision. If you wish to continue with the cleaning procdures please post the following:

ComboFix.txt

Note: Please do not attach logs unless asked to. Copy/paste them directly in the reply box.

Thanks!!
PW

#5 dexter_k

dexter_k
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 10 April 2010 - 12:48 PM

I will format at some point in the near future but in the meantime, if we can clear the trojan then i'd be greatful

Logs attached

Attached Files



#6 dexter_k

dexter_k
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 10 April 2010 - 07:02 PM

Hey PW,

After running combofix, the rogue program popped up again. It frustrated me so much, I've set my machine to format. Plus, I really need constant access to my online banking, so please free to close this thread down

Thanks for your efforts
Dexter

#7 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:01:27 AM

Posted 11 April 2010 - 03:15 PM

Hello dexter_k,

Since you have decided to format and reinstall here is some useful information.

Your logs indicate you have registry cleaners installed.

Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep them. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

More information about registry cleaners can be found at Miekiemoes Blog

Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case BitTorrent ). These programs allow file sharing between users as the name(s) suggest. In today's world cyber crime has become an enormous problem. Different ways are used to infect personal computers to make use of their stored data or machine power for further propagation of malware files. A popular means is the use of file-sharing tools as a huge amount of prospective victims can be reached through them.

It is therefore possible to be infected by downloading infected files via peer-to-peer tools and so these tools must be used with extreme care. Some further reading on this subject, along with included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes on copyright laws in many countries over the world and you are putting yourself at risk of of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Backup your files.

When you backup data you need to save any files that you want to keep as a clean install of the operating system will completely erase those files.

You can backup or save your files by burning them to CD, saving to a floppy disk, an external drive, flash or thumb drive. These might include word documents, .pdf files, music and pictures. Do not backup any programs or applications. If you use an external drive to save your data you will need to run FlashDisinfector prior to backing up.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Note that the files with the following extensions should not be backed up:
.exe
.scr
.htm
.html
.xml
.zip
.rar
.asp
.php

If you do not have the XP disk but rather an OEM installation on your system follow the directions of your computer manufacturer to clean install XP.

If you reinstall XP visit the Microsoft Update here
for the latest updates.

If you do not know how to perform a fresh install, use these websites and read for instructions on how to format and reinstall Windows:
http://www.theeldergeek.com/clean_installa..._windows_xp.htm
http://www.winsupersite.com/showcase/windowsxp_sg_clean.asp

New viruses come out every minute, so it is essential that you keep your antivirus program updated and have the latest signatures to provide you with the best possible protection from malicious software. I notice you have two antivirus programs installed. AntiVir Desktop and Microsoft Security Essentials
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.

Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SuperAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide
a resident and do not nag if you purchase the paid versions. I personally prefer and highly recommend the licensed version of MBAM.
Please read and follow How did I get infected?, With steps so it does not happen again! as well as How to prevent Malware by Miekiemoes

If you have any questions please don't hesitate to ask.

Thanks!!
PW

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 AM

Posted 20 April 2010 - 03:32 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users