Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNSchanger - sneaky bugger.


  • This topic is locked This topic is locked
4 replies to this topic

#1 Talaith

Talaith

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 20 November 2011 - 02:17 AM

Hello, folks.

A few days ago I got an automated notification from my service provider informing me that I'd picked up a 'dnschanger' attempting to redirect my online traffic. My provider's blocking these attempts, but I'd like to get the issue fixed on my end. Their suggestion is that I reformat my entire hard drive - one particularly paranoid friend recommended that I scrap the entire drive and just start fresh. I have got my XP install disk and I'll reformat if I have to, but I would love to try and fix it first.

This thing is trying to redirect my traffic four times per day. Two days ago, things really went to hell - DRIVER_IRQL_NOT_LESS_OR_EQUAL errors, hard crashes, sound quality broken and stuttering, ten-minute boot sequences and general slowness. I did a single run of ComboFix out of pure desperation - yes, I know, naughty user - and that's at least got the box running well enough that I can get things done and run scans, but things are still not pretty.

The log I'm getting from my provider looks like this:

Date IP Additional Info
=================== =============== =======================================================
2011-11-16 00:02:55 184.96.226.235 infection => 'dns-changer', rogue_ns_ip => '213.109.64.6'
2011-11-16 06:03:12 184.96.226.235 infection => 'dns-changer', rogue_ns_ip => '213.109.64.6'
2011-11-16 12:03:32 184.96.226.235 infection => 'dns-changer', rogue_ns_ip => '213.109.64.6'
2011-11-16 18:09:25 184.96.226.235 infection => 'dns-changer', rogue_ns_ip => '213.109.64.6'

A full Malwarebytes run didn't pick anything up.

Two registry entries are affected by this that I've been able to find:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/DhcpNameServer (value changed to '192.168.0.1 213.109.64.6')

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/{long tangled alphanumeric string}/DhcpNameServer (value changed to '192.168.0.1 213.109.64.6')

Manually changing the values doesn't stick (of course not, that'd be too easy).

System keeps managing to crash before I can get a GMER scan to finish. I'll add it when I get one done, hopefully.

I'm not yet convinced that I need to chuck my entire hard drive, because I am stubborn. Open to suggestions, and thank you!

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Administrator at 19:29:46 on 2011-11-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2164 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Qwest\Desktop\QwestTouchPointAgent.exe
C:\Program Files\RocketFish\RF5.1\Surround Mixer\CTSysVol.exe
C:\Program Files\Browny02\Brother\BrStMonW.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Browny02\BrYNSvc.exe
C:\Program Files\Microsoft\BingBar\BingBar.exe
C:\Program Files\Microsoft\BingBar\BingApp.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://qwest.live.com
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QwestTouchPointAgent] "c:\program files\qwest\desktop\QwestTouchPointAgent.exe" /autostart
mRun: [CTSysVol] c:\program files\rocketfish\rf5.1\surround mixer\CTSysVol.exe /r
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1283119762796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1 213.109.64.6
TCP: Interfaces\{A1CC858A-D98E-4523-BA39-EBC604BBD5CB} : NameServer = 4.3.3.3,4.2.2.2
TCP: Interfaces\{A1CC858A-D98E-4523-BA39-EBC604BBD5CB} : DhcpNameServer = 192.168.0.1 213.109.64.6
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-9-5 232512]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKslc34a1026;MpKslc34a1026;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4744c62b-4e80-4a07-993d-d120cf45527a}\MpKslc34a1026.sys [2011-11-18 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2009-7-13 8576]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
R3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2011-10-6 245760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]
S3 pbfilter;pbfilter;\??\c:\program files\peerblock\pbfilter.sys --> c:\program files\peerblock\pbfilter.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-11-19 05:08:53 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4744c62b-4e80-4a07-993d-d120cf45527a}\MpKslc34a1026.sys
2011-11-19 05:07:00 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4744c62b-4e80-4a07-993d-d120cf45527a}\offreg.dll
2011-11-19 05:06:07 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4744c62b-4e80-4a07-993d-d120cf45527a}\mpengine.dll
2011-11-19 05:02:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-19 04:44:30 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-19 02:30:10 -------- d-----w- C:\ComboFix
2011-11-17 23:14:09 -------- d-----w- c:\windows\system32\NtmsData
2011-11-14 15:17:32 -------- d-----w- c:\documents and settings\administrator.tallywhacker.001\local settings\application data\SWTOR
2011-11-12 06:27:59 -------- d-----w- c:\documents and settings\administrator.tallywhacker.001\application data\SUPERAntiSpyware.com
2011-11-12 06:07:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-12 06:07:23 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-11-09 01:18:32 -------- d-----w- c:\windows\system32\drivers\nav\1302000.00A
.
==================== Find3M ====================
.
2011-11-12 14:08:12 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 11:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 08:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 17:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 17:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 17:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-06 05:16:37 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 19:31:34.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:19 AM

Posted 20 November 2011 - 05:12 PM

Good evening. :)

While I wouldn't go as far as throwing the drive out, I would back up all important data and then reformat and reinstall and the reason is - Install Date: 8/30/2007 3:53:49 PM. The Windows installation is over three years old and must be showing signs of wear and tear by now.
Normal computer usage involving installations, uninstallations and updates all conspire to drag the system performance down over time and there's very little you can do about it apart from start afresh. This is something I do about every six months and I notice a real difference as a result.

The symptoms that you experienced a few days ago worry me a little as there could be system file corruption that would need reinstallation to cure.

The time that it will take to play "hunt the nasty" is very likely going to be longer than it will take to wipe and reinstall Windows and this should not only resolve the infection issue but also give the machine a well-earned spring clean - you may need to reset your router if you use one as an infection can sometimes modify the settings causing the redirection problems you are having.

All in all, it's quicker and more reliable to start afresh and that's what I would do if this was my machine, so that's what I recommend you do.

So long, and thanks for all the fish.

 

 


#3 Talaith

Talaith
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 20 November 2011 - 10:18 PM

Hi, Noviciate!

After wrestling with this thing off and on for the last couple of days, I've come to much the same conclusion - just mildly anxious about the wipe and reinstall process. It's a minor miracle the machine has done as well as it has the last year.

I will do a little research into getting it done cleanly. Is there any particular reason I might want to go for a brand new boot drive beyond 'they all die eventually'?

Nearly everything I care about resides on the secondary drive anyway.

Many thanks for the response, and I will see what I can do on my end.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:19 AM

Posted 21 November 2011 - 03:25 PM

Good evening. :)

just mildly anxious about the wipe and reinstall process....

I will do a little research into getting it done cleanly.

That's what this sub-forum is for - ask and yea shall be answered.

Is there any particular reason I might want to go for a brand new boot drive beyond 'they all die eventually'?

Apart from an overwhelming urge to have a bigger boot drive, nope, not as far as i'm concerned.

Nearly everything I care about resides on the secondary drive anyway.

Hard drive failures are pretty rare, but if you care that much, you'd have at least one other place as well - back-up or weep.

So long, and thanks for all the fish.

 

 


#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:19 AM

Posted 07 December 2011 - 03:45 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users