Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNSChanger trojan infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 Lindhills

Lindhills

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 27 December 2011 - 01:38 PM

Hello, folks.

Three days ago an ASUS Netbook running Windows 7 (light) at our house was infected by a trojan, using the Windows security system to make it look as though everything was in ruins and directing us to buy some bogus anti-spyware. I Googled for "windows 7 anti spyware 2012" and found directions posted here on mybleepingcomputer (http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012) which I followed dutifully, thanks to all the contributors! Which seemed to clean it all up, back in business.

A day later I received an email from my ISP (CenturyLink) telling me the FBI detected a DNSChanger incident from my account stating that "the Department of Justice,with the assistance of the FBI, is recommending that you update your master boot record and reformat your hard drive or take it to a local repair shop to have this done." Yow! I have since run both Malwarebyte's Anti-Spyware and Secunia's vulnerability scanner on all four home computers and changed the admin name and password on my router (Zyxel PK5000Z provided by Quest). And today I get another email from Centurylink, stating the same thing:

"Our Security Services organization has received notification from the Federal Bureau of Investigation (FBI) about industry-wide malicious online traffic, which we have identified as impacting this account. This means that your computer or another computer on your network may be infected by malicious software known as "DNSChanger. ..."

I'm not sure what to do now. My ISP acts as though I'm the perpetrator here and says to follow the FBI instructions and is offering no help whatsoever.

Is--or can--the router itself be infected? Or are there some DNS entries in the router that I need to change? Do I really need to reimage all 4 home computers? I don't have the money to pay someone, and I have little time to spare to research this all out, nor am I all that technically savvy when it comes to these things. Any and all help is greatly appreciated!

BC AdBot (Login to Remove)

 


#2 netsecdude

netsecdude

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 27 December 2011 - 01:44 PM

This might help out

http://www.myantispyware.com/2007/11/06/how-to-remove-trojan-dnschanger/

#3 Lindhills

Lindhills
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 27 December 2011 - 01:57 PM

Thank you. That looks useful, especially the last two steps, which I have not done. I will try this when I get home from work.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,127 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:44 AM

Posted 27 December 2011 - 10:35 PM

In regards to the instructions in that link, please be aware that the first step (Variant 1) is for older variants of TDSS malware. The step for varinat 4 advises to use Avenger.

CAUTION: Avenger is a very powerful program, designed to remove highly persistent files and registry keys" under the guidance and supervision of an expert". Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Using TDSSKiller and scanning with Malwarebytes Anti-Malware is much safer.

Instructions for using TDSSKiller can be found here. Step 7 instructs you to scan your computer using Malwarebytes Anti-Malware.

Note: Some infections will alter the Proxy settings in Internet Explorer which can cause redirects and affect your ability to browse, update or download tools required for disinfection. If you are experiencing such problems, check those settings. To do that, please refer to Steps 4-7 under the section Automated Removal Instructions in this guide. If using FireFox, refer to these instructions to check and configure Proxy Settings under Advanced Options > Network tab > Connection Settings.

Before doing anything further, if you have not already done so, you should back up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. If that occurs there may be no option but to reformat and reinstall the OS or perform a full system recovery. The safest practice is not to backup any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Lindhills

Lindhills
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 28 December 2011 - 11:06 AM

I think the machines are clean (no symptoms, clean reports from Malwarebyte and one other AV, everything updated per the listed utility) but I checked the proxy settings on IE just in case and they had not been tampered with. I think I'm backing this thing into a corner, the corner being my router, where I have even less knowledge, and where my ISP (provider of said router) has been of no help. I am receiving daily (2 so far) reports of rogue DNS activity from the FBI via my ISP, which is how I know that a problem exists yet as of two nights ago. I'm waiting to see if there's an infraction today. If so, I plan on resetting my router to factory settings and working with the ISP to get reconnected.

I appreciate the help here. Pretty much the best and most helpful forum I've experienced. Thanks.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,127 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:44 AM

Posted 28 December 2011 - 11:35 AM

These are general instructions for how to reset a router,:
  • Unplug or turn off your DSL/cable modem.
  • Locate the router's reset button.
  • Press, and hold, the Reset button down for 30 seconds.
  • Wait for the Power, WLAN and Internet light to turn on (On the router).
  • Plug in or turn on your modem (if it is separate from the router).
  • Open your web browser to see if you have an Internet connection.
  • If you don't have an Internet connection you may need to restart your computer.
For more specific information on your particular model, check the owner's manual. If you do not have a manual, look for one on the vendor's web site which you can download and keep for future reference.

Ensure you secure the router with a strong logon/password. Consult these links to find out the default username and password for your router, and write down that information so it is available when doing the reset:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Lindhills

Lindhills
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 28 December 2011 - 11:42 AM

I have a modem/router combo, Zyxel PK5000Z, from Quest, so resetting it is going to mean a call to my ISP since they never gave me the PPPoE password.

BTW, another rogue DNS issue was detected, and all the report says as to what actually happened is this:

The date, time (GMT) and IP addresses identified in our investigation
are as follows:

Date IP Additional Info
=================== =============== =======================================================
2011-12-27 01:20:32 184.97.189.219 infection => 'dns-changer', rogue_ns_ip => '85.255.127.4'



#8 Lindhills

Lindhills
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 28 December 2011 - 11:50 AM

My ISP continues to insist:

Currently, there is no tool that is known to be effective in detecting and eradicating this infection from affected computers. As a precaution to protect your privacy and data , the Department of Justice, with the assistance of the FBI, is recommending that you update your master boot record and reformat your hard drive or take it to a local repair shop to have this done. If there are removal/fix tools that become available in the future to remove the infection without reformatting your hard drive, you will need to check the FBI website or other security resources for information.

Is this true? Despite running all these tools and programs, I'm still in need of disk reformatting?

And, is this true as well?

CenturyLink modems are not affected by the DNSChanger only the individual PC's and small office/residential routers.


Edited by Lindhills, 28 December 2011 - 12:25 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,127 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:44 AM

Posted 28 December 2011 - 01:53 PM

Despite running all these tools and programs, I'm still in need of disk reformatting?

Not necessarily. The severity of infection will vary from system to system, some causing more damage than other sespecially when dealing with rootkits. The longer malware remains on a computer, the more opportunity it has to download additional malicious files which can worsen the infection so each case should be treated on an individual basis. Severity of system infection will also determine how the disinfection process goes.

In this case, I suspect disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need to create and post a DDS log for further investigation.

Please follow the instructions in the Preparation Guide For Requesting Help starting at Step 6.
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create two logs.
When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. After doing this, it would be helpful if you replied back in this thread with a link to the new topic so we can closed this one.

If HelpBot replies to your topic, please follow Step One so it will report your topic to the team members.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Lindhills

Lindhills
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 28 December 2011 - 03:51 PM

Okay. Well, the Defogger froze, and things went south. I did a hard reboot and started the computer in safe mode and ran TDSSKiller which found a rootkit.win32.zaccess.aml (which I TDSSKiller 'cure' of course.) Clearly this thing (ASUS Netbook) is infected deep down in its innards!

And here, at last, are the results posted as a new topic as instructed: results

P.S. If I knew my problems resided entirely on this computer, and it turns out to be a bugger to deal with, I would happily do what it takes to reformat and start all over. I'm just afraid if I went and did that, the problem might end up being somewhere else (though I'm reassured by my ISP that their router/modem can not be the problem.)

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,127 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:44 AM

Posted 28 December 2011 - 03:59 PM

ran TDSSKiller which found a rootkit.win32.zaccess.

That is what I supected.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take several days to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

If HelpBot replies to your topic, please follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users