18 replies to this topic

[Øyvind Granberg]

Hi...

I am, or actually my computer is, infected by a trojan named Zlob.DNSChanger, and after googling around trying various more or less serious solutions, I ended up buying and installing the MalwareBytes since it was so wholeheartedly recommended on web pages and in newgroups.

After a qiuck scan MBAM found six instances of the afore mentioned digitital equestrian sports freak.
These where promte deleted, and teh computer rebooted.

To my big surprised blue eyes, the same six registry keys were back in a check up scan after reboot.
MBAM did NOT remove the threat.

What am I to do?


regards
Øyvind Granberg
A perturbed Norwegian

[Tigger93]

Can you please post the MalwareBytes log?

[Øyvind Granberg]

Oh.. I forgot:
The MBAM logfile:
Malwarebytes' Anti-Malware 1.30
Database versjon: 1395
Windows 6.0.6001 Service Pack 1

14.11.2008 03:34:27
mbam-log-2008-11-14 (03-34-27).txt

Skanntype: Rask Skann
Objekter skannet: 51982
Tid tilbakelagt: 4 minute(s), 54 second(s)

Minneprosesser infisert: 0
Minnemoduler infisert: 0
Registernøkler infisert: 0
Registerverdier infisert: 0
Registerfiler infisert: 6
Mapper infisert: 0
Filer infisert: 0

Minneprosesser infisert:
(Ingen mistenkelige filer funnet)

Minnemoduler infisert:
(Ingen mistenkelige filer funnet)

Registernøkler infisert:
(Ingen mistenkelige filer funnet)

Registerverdier infisert:
(Ingen mistenkelige filer funnet)

Registerfiler infisert:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0bbac451-a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0bbac451-a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0bbac451-a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 -> Quarantined and deleted successfully.

Mapper infisert:
(Ingen mistenkelige filer funnet)

Filer infisert:
(Ingen mistenkelige filer funnet)

[Raid]

Sir,

Your router has been compromised; this isn't the fault of MBAM. You need to reconfigure your router. Please see below:

http://blog.washingtonpost.com/securityfix...s_wirele_1.html

In the future, please do not use default admin/passwords on your router, it only allows for exploitability. The "registry" keys come back because your router, not a piece of software on your PC, is setting them.

[JeanInMontana]

This is a extremely nasty infection and requires some diligence and dedication to clean it up. Please follow these instructions here and begin your own topic in that forum. Most importantly is to get the HJT log posted. MBAM has several definition updates to it also since you have last updated.

[elero]

Nice built-in pw list, I think it's time to change the router pw

[exile360]

Yikes, I didn't even realize such infections existed. Makes sense though, considering that most routers use the same default password from the factory. I'm amazed this is the first I've heard of it if it's an attack vector that's been exploited before, and if it's new I'm amazed it took the hackers so long to think of it. Perhaps this will convince Linksys, D-link and all the others to start using randomized passwords by default that are maybe PRINTED on the router itself for the sake of tech support etc. instead of using the same one for each. Most people don't even realize they can change the passwords on routers.

[Øyvind Granberg]

You did mean my adsl router, I guess, but what about my Linksys wireless router?

[Øyvind Granberg]

I have now reset my Netopia adsl router once again, and the userid and password is unique like it has been all the way.
I will return with the logs asap...

[Øyvind Granberg]

Here is a Kaspersky Report.... It's been going on for three days and just passed 70%.

http://tresfjording....perskyRapp.html

[Øyvind Granberg]

Here is the HihjackThis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:27:36, on 16.11.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\conime.exe
D:\Program Files\FastStone Capture\FSCapture.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\FileZilla FTP Client\filezilla.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\Analyze.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Startup: OneNote 2007 Screen Clipper og Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Blogg dette - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogg dette i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecu...s/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: GWKGO - Unknown owner - C:\Users\OYVIND~1\AppData\Local\Temp\GWKGO.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: RQVXK - Unknown owner - C:\Users\OYVIND~1\AppData\Local\Temp\RQVXK.exe (file missing)

--
End of file - 6190 bytes

[GT500]

Øyvind Granberg, on Nov 16 2008, 11:58 AM, said:

You did mean my adsl router, I guess, but what about my Linksys wireless router?

I think he was talking about your Linksys router. Their passwords are always the same, so they are easy to get into.

[Øyvind Granberg]

It was, I guess, but the symptoms seems disappeared, it was the Linksys wireless router, but I have an unique username and password tehre... hmm.

I just wint inn, and removed some DNS adresses matching the DNS adresses in the Malwarebyte AM log.

Am I smart or not?

regards
Øyvind Granberg
A smart and not so perturbed Norwegian

[RubbeR DuckY]

Yes, this is a very persistent router infection. The PROPER procedure for this is to reset the router to FACTORY DEFAULT SETTINGS and then set very hard to guess passwords. Then Malwarebytes' Anti-Malware can clean the rest up.

[Øyvind Granberg]

I FIXED IT!

I went into my Linksys wireless router and set the three static DNS server Adresses to null.
That's it.
Problems solved all over the LAN.

Look here:
http://tresfjording....1-16_165353.png

Then I used Malvarebytes AM on all computers and it removed two threats on each.

I consider this case closed.
Thanks to you guys for pointing me in the right direction!

And to make up for my rather rude title on this thread, I have to say MBAM located and fixed stuff Lavasoft Ad-Aware AND Spybot Search & Destroy didn't even know was there.
I can whoeheartedly recommend Malwarebytes Anit Malware!!!

[JeanInMontana]

Please be sure you reset System Restore points too. If you use one that is infected ever your going to go through this all over again.

[Raid]

Øyvind Granberg, on Nov 16 2008, 11:58 AM, said:

You did mean my adsl router, I guess, but what about my Linksys wireless router?

Your linksys wireless router is providing the DNS entries to your computer. You must login to it, fix your dns entries and change the admin password.

[Øyvind Granberg]

JeanInMontana, on Nov 16 2008, 09:51 PM, said:

Please be sure you reset System Restore points too. If you use one that is infected ever your going to go through this all over again.

I almost hate System Restore!
In it's early days I lost data when rolling the system backwards.

I maintain my own restore system.

The only thing standing between me and a solution, is knowledge.
Now Iva got the knowledge, and the assuring feeling of being able to seek out, not only knowledge, but the correct knowledge, I'm not scared anymore....

As Chris de Burgh said back in the eighties:
...
And the dark clouds around me
That often surround me
Just fall away into the night,
Im not scared anymore....

Again thanks.... to you all!

[Raid]

I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org[/indent]