Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNS Unlocker


  • Please log in to reply
3 replies to this topic

#1 frankslater

frankslater

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 29 December 2015 - 04:54 PM

Hey everyone. The same thing is happening on my computer and might have some additional information.

 

History: By popups, I had to realize that something got on my PC. It was called "DNS unlocker" as I found in the installed programs. It took me a while to remove (only the symptoms I'm afraid). I dug through registry and all. At the end I found that it changed my DNS settings. Once I fixed that the popups disappeared. Completely removed Firefox and reinstalled, reset firewall settings and whatever I could think of. Worth noting that I only installed Eset after I detected the infection.

 

After all this I started seeing the blocking popups by Eset. Happened fairly rare but when I saw the malicious looking address (skype-soft), I started digging.

Eset does provide information in the logs regarding the process initiating the connection, however it's being initiated through temp files as a disguise, and they are deleted right after the event:

Time;                             URL;                                                                                                                                                                                        Status;                                     Application;                                                                                      User;     IP address
29/12/2015 20:59:56;   http://skype-soft.com/download1?affiliate_id=000211&wv=60300&wi=9f6f2438-4849-490a-8a82-3c087e9d0c0e&wx=x64;   Blocked by internal blacklist;   C:\Users\X\AppData\Local\Temp\is-P8T4N.tmp\SteamHelper.tmp;   PCY\X;   77.81.105.188
27/12/2015 20:59:39;   http://skype-soft.com/download1?affiliate_id=000211&wv=60300&wi=9f6f2438-4849-490a-8a82-3c087e9d0c0e&wx=x64;   Blocked by internal blacklist;   C:\Users\X\AppData\Local\Temp\is-P1O06.tmp\SteamHelper.tmp;   PCY\X;   77.81.105.188

This is when I googled a little to find a tip on figuring out what creates the temp files and ended up here.



BC AdBot (Login to Remove)

 


#2 frankslater

frankslater
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 29 December 2015 - 04:55 PM

Wow looking at the logs copy pasted one line each its easy to see the trend. My next stop is scheduled tasks.



#3 frankslater

frankslater
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 29 December 2015 - 05:22 PM

Jackpot!

I see 2 tasks initiating processes to download more malicious stuff. Eset has been saving my behind.

 

To sumarize, both of them have many triggers including logon, startup, idle, and every hour during the night and every half hour during the day. Both tries to run with highest privileges of course, etc.

 

The two scheduled jobs:

*DNSGERMANIA* Action: C:\Program Files (x86)\DNS Unlocker\dnsgermania.exe /Scheduled   (This probably has been failing because I deleted the folder)

*SteamClient* Action: "C:\Users\FG\AppData\Roaming\Steam\SteamHelper.exe" /VERYSILENT /AFFID000211 (This however wasn't and probably triggerred the blocks by Eset)

 

Hmm, SteamHelper.exe even had the steam logo.

Makes me wonder what else might be lurking on the system I don't know about. :(

 

I check again the startup programs in msconfig/Task Manager before going to bed.

 

Either way, I hope this helps someone.



#4 Jo*

Jo*

  • Malware Response Team
  • 3,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:24 AM

Posted 31 December 2015 - 11:32 AM

Do you need help or is this only an info for other users?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users