129 replies to this topic

[Goonsac]

LD hate to tell you this but i got fed up with this problem so i decided to unplug my secondary harddrive from the computer and do another fresh install. Install of windows is complete but i still cannot use the windows update. I am about to run MBAM and i will post the results when its done. also do u have a antivirus software you recommend i install on the computer i have nothing currently installed.

Edited by Goonsac, 11 November 2008 - 05:49 PM.

[Goonsac]

ok well now im kinda stumped. here is the log on this totally recleaned system Malwarebytes' Anti-Malware 1.30 Database version: 1385 Windows 5.1.2600 Service Pack 3 11/11/2008 5:55:42 PM mbam-log-2008-11-11 (17-55-42).txt Scan type: Quick Scan Objects scanned: 40512 Time elapsed: 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 6 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e5c9dd7e-e8d7-417b-8265-135c7ed2a569}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e5c9dd7e-e8d7-417b-8265-135c7ed2a569}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e5c9dd7e-e8d7-417b-8265-135c7ed2a569}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.75 85.255.112.79 -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

[LDTate]

This sounds like a case of Zlob/DNSchanger that change the router's DNS settings.

Next disconnect your system from the internet, and your router, then…

Double Click mbam-setup.exe to install the application.

• Launch Malwarebytes' Anti-Malware, then click Finish.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
===============================================

Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE

However, if there are other Zlob-infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Once you have ran Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.

===============================================

Please post the Malwarebytes log and let me know how things are running now

[Goonsac]

ok LD while i was waiting for your reply my friend showed me how to reconfigure my modem so that it was nolonger bridged so that only my computer could be online pluged directly into the modem with no router. I then wiped the hardrive and reinstalled windows AGAIN so far no signs of that pesky DNSChanger but as you just stated its something that messes with routers. im going to fully update windows then run MBAM again just to see if it shows back up, because i ran it once after this newst fresh install and there was nothing there. but i do have to hook the computer back up to the router because there are 2 other computers that share internet in the household. ill update this thread if something changes after a full update and i reconnect the router.

[LDTate]

What I posted above is what's being used to remove the router infection. I'll bet once you connect to your router, without resetting it as above, the infection will show up again. When it does, just follow those directions.

[Goonsac]

LD i know i told u i took the internet access from the router and its only on my pc but i did leave the router plugged in power wise and my parents still get a router signal just no internet. SO we ran MBAM on both systmes it cleaned them then they came right back. should completely power down the router then run the program on both computers or would that even matter? also once i bridge my modem to work with the router i should just plug power back to the modem and hold the reset button for 10-15 seconds and then let it reconfig my IP address and then go about using the net as normal correct?

[LDTate]

Power off the router. Unplug all connections connections
Clean all systems with MBAM. Run it twice to make sure everything is gone.

Plug only the power back in to the router.

Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE

You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Once you have ran Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.

[Goonsac]

Well LD me and my whole household are very thankful, looks like all the back and forth efforts worked and i finally have a clean system and network. thanks again, if any new or old problems arise ill just start a new thread.

[LDTate]

Good job

I don'y know if you still have combofix or not. If so, do this.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
  • 
  
  
  Here's my usual all clean post
  
  Log looks good
  
  
  
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
• Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
  (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
  Without a firewall your computer is succeptible to being hacked and taken over.
  I am very serious about this and see it happen almost every day with my clients.
  Simply using a Firewall in its default configuration can lower your risk greatly.
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
  This will ensure your computer has always the latest security updates available installed on your computer.
  If there are new updates to install, install them immediately, reboot your computer, and revisit the site
  until there are no more critical updates.
  
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
• Winpatrol
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly.
  Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

Also: "How to prevent malware"

[LDTate]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.