dnsChange virus

[John Mason Jr]

Øyvind Granberg wrote:
>>
>> You want a list?
> You sound like my wife
>
>>
>>> Is this Malwarebyte a hoax?
> Why I'm asking this is because it don't seem to woirk right. It finds
> the trojan, baut the registry entries remains after the fix.
>
>>
>> No, it is a good application.
>>
>> This malware is extremely sticky - check for rootkit activity.
> I downloaded RootkitRevealer, but it coudn't find anything.
>
>
>
> -- Øyvind G. --

You might try reporting the problem in General Malwarebytes'
Anti-Malware Forum


or via contact page

They are normally responsive


John

 

[1PW]

On 11/13/2008 05:31 PM, ~BD~ sent:
> "1PW" wrote in message
> news:gfig6d$tuj$1@feeder.motzarella.org...
>> On 11/13/2008 10:33 AM, ~BD~ sent:
>>
>> Snip, snip...
>>
>>> My subsequent discussions now lead me to believe that one needs to clear
>>> the
>>> CMOS and probably flash the BIOS too if one wants to be sure of a clean
>>> machine.
>>>
>>> Good luck!
>>>
>>> Dave
>>>
>> Hello Dave:
>>
>> It is quite easy to take what we discussed, in the other thread, out of
>> context. Extreme measures are not indicated in many instances. Good
>> judgment, must be coupled with experience. Also, reburning the BIOS
>> does come with its own set of risks of failure. The motherboard is
>> clearly at risk. If the above malware is clearly hard disk drive
>> resident, the risk/benefit ratio of reburning the BIOS is clearly not on
>> the side of the system's tech/owner/user.
>>
>> A proper assessment/diagnosis must precede the proper corrective
>> action.
>>
>> --
>> 1PW
>
> --
>
> Hello again, Pete

>
>> @?6A62?FEH9E=6o2@=]4@> [r4o7t]
>
> I've still not worked out what this code means (busy doing other things
> today!)
>
> I fully appreciate your comments and I'm sure Øyvind Granberg will
> understand too. Having reviewed his web site and absorbed a notion of his
> experience with computers, I'm equally sure that he, just like me, will wish
> to experiment and try to solve his problems himself - without resorting to
> employing a 'professional' (as it seems you once were!).
>
> You say "A proper assessment/diagnosis must precede the proper corrective
> action". I fully accept this. With your wealth of experience, where would
> *you* recommend one might go on the Internet.to achieve this objective?
>
> Why do I ask you? You are one of the few folk on these MS security
> newsgroups who has taken a great deal of time and trouble to help me better
> understand these technical matters (FromTheRafters has been another
> recently - thanks FTR). I do not profess, nor ever have, to be knowledgeable
> about computers. That doesn't mean that I am stupid and ignorant ....... as
> some here would have you believe!
>
> I did not come to these groups to solve my malware problems, rather to
> investigate how, and by whom, machines are infected in the first place. I
> basically trust no-one and don't believe something simply because it is
> showing on a screen in front of me. Nor do I blindly follow 'instructions'
> from any Tom, Dick or Harry (or even David H Lipman - whose credentials are
> completely unknown - yet who struts around these groups as if he is Lord of
> the manor!).
>
> The average guy who proceeds to a forum, downloads all manner of magical
> programmes to help fix his /her PC (under instruction, of course) will have
> absolutely no idea if their machine has *really* been cleaned - as long as
> it 'works', that will be sufficient. Lambs to the slaughter perhaps?
>
> Thanks for listening,
>
> Dave

We are stealing this thread from one with a huge problem and great need.

Let's begin another thread.

Our apologies to all that read are blatherings.

--
1PW

@?6A62?FEH9E=6o2@=]4@> [r4o7t]

 

[~BD~]

Hello Øyvind

I replied to you earlier this morning from Google Groups (supposedly!) but
cannot now find same via Google. I'd set a 'follow-up' in the hope that my
message would show up in the 'microsoft.public.security.virus' group which I
usually view with Outlook Express. It has not (so far) appeared
...............

But I * have* found it here:-
http://www.pcreview.co.uk/forums/showthread.php?t=3668206

Scratching head (again!) - Puzzling to me (a user, not a guru!)

Dave

--
"Øyvind Granberg" wrote in message
news:B70F3874-ADB3-4B60-B276-9C1D57BE2D40@microsoft.com...
> Thank you ~BD~ for those kind words. Glad you liked my website
>
> I will reset the CMOS and BIOS at next reboot.
>
> I am opposed to reinstalling the OS. That is a solution I turnde to i the
> past.
> I reformatted my first computer back in the late eighties. I thought it
> was THE solution in the nineties.
> This decade the procedure makes me physically sick... hehe...
>
> But after cleaning the registry, deleting files (autorun.inf) and folders
> (resycled) the regitry keys rebuilt themselves.
> Somewhere there has to be a file that is run at startup, or when I start
> IE.
> I will now revert to IE7 and flush CMOS and reset BIOS during restart.
>
> BRB
>
>
> --
>
> Vennlig hilsen
> Øyvind Granberg
>
> tresfjording@live.no
> www.tresfjording.com
>
> "~BD~" skrev i nyhetsmeldingen:
> uTso#4bRJHA.4008@TK2MSFTNGP02.phx.gbl ...
>> I'm saddened to learn that you have a continuing problem, OG.
>>
>> You said "Then IE8 is started"
>>
>> IE8 is in Beta - advice I've had says that you must expect problems if
>> you use an 'un-finished' product. I suggest you uninstall IE8 and try to
>> revert to IE7.
>>
>> I've enjoyed browsing your web site btw!

>>
>> Just to rub salt into the wound, you didn't need to pay anything to
>> download and use Malwarebytes on a one-off basis (i.e. not continuous
>> protection).
>>
>> If you have a rootkit, rather than try to find and kill it, I'm sure it
>> will be much quicker for you to 'Flatten and Rebuild'. If you have access
>> to the Internet, you may 'enjoy' reading through a thread I started
>> earlier this year, still available on Google, here:-
>>
>> http://groups.google.co.uk/group/microsoft...e5f99b403a1e451
>>
>> My subsequent discussions now lead me to believe that one needs to clear
>> the CMOS and probably flash the BIOS too if one wants to be sure of a
>> clean machine.
>>
>> Good luck!
>>
>> Dave
>>
>> --
>>
>>
>> "Øyvind Granberg" wrote in message
>> news:2AA77F27-57A5-4CB9-AD8B-4769F1049533@microsoft.com...
>>> Hi...
>>>
>>> As a continuance of the thread "Do I have a virus?"
>>>
>>> Well it's back. The Trojan.DNSChanger virus has really never left the
>>> building.
>>> I have downloaded and paid for software called Malwarebytes and it finds
>>> six instances of this virus.
>>> I choose to remove them, and the software wants to restart my computer.
>>> After reboot, a rerun of Malwarebytes shows that my system is clean.
>>> Then IE8 is started. All of a sudden I cannot connect to any website,
>>> not even google
>>> A new run of Malwarebytes reveals yet another six instances of the same
>>> virus.
>>>
>>> A checkup on all other computers in the household tells a tale of a
>>> massive outburst.
>>>
>>> I've got my ISP to reset the ADSL router, much against his beliefs, but
>>> no fix.
>>>
>>> I am running, amongst others, a self built Windows Vista Ultimate based
>>> pc, with all updates, and all security measures running.
>>> AVG 8
>>> Windows Defender
>>> A weekly run of Spybot and Adaware
>>> I reckon if I can clean this computer I can easily fix the others.
>>>
>>> What am I doing wrong here?
>>> Is this Malwarebyte a hoax?
>>>
>>>
>>> --
>>>
>>> Vennlig hilsen
>>> Øyvind Granberg
>>>
>>> tresfjording@live.no
>>> www.tresfjording.com
>>
>>

 

[~BD~]

"1PW" wrote in message
news:gfj08f$p5f$1@feeder.motzarella.org...
> On 11/13/2008 05:31 PM, ~BD~ sent:
>> "1PW" wrote in message
>> news:gfig6d$tuj$1@feeder.motzarella.org...
>>> On 11/13/2008 10:33 AM, ~BD~ sent:
>>>
>>> Snip, snip...
>>>
>>>> My subsequent discussions now lead me to believe that one needs to
>>>> clear
>>>> the
>>>> CMOS and probably flash the BIOS too if one wants to be sure of a clean
>>>> machine.
>>>>
>>>> Good luck!
>>>>
>>>> Dave
>>>>
>>> Hello Dave:
>>>
>>> It is quite easy to take what we discussed, in the other thread, out of
>>> context. Extreme measures are not indicated in many instances. Good
>>> judgment, must be coupled with experience. Also, reburning the BIOS
>>> does come with its own set of risks of failure. The motherboard is
>>> clearly at risk. If the above malware is clearly hard disk drive
>>> resident, the risk/benefit ratio of reburning the BIOS is clearly not on
>>> the side of the system's tech/owner/user.
>>>
>>> A proper assessment/diagnosis must precede the proper corrective
>>> action.
>>>
>>> --
>>> 1PW
>>
>> --
>>
>> Hello again, Pete

>>
>>> @?6A62?FEH9E=6o2@=]4@> [r4o7t]
>>
>> I've still not worked out what this code means (busy doing other things
>> today!)
>>
>> I fully appreciate your comments and I'm sure Øyvind Granberg will
>> understand too. Having reviewed his web site and absorbed a notion of his
>> experience with computers, I'm equally sure that he, just like me, will
>> wish
>> to experiment and try to solve his problems himself - without resorting
>> to
>> employing a 'professional' (as it seems you once were!).
>>
>> You say "A proper assessment/diagnosis must precede the proper corrective
>> action". I fully accept this. With your wealth of experience, where would
>> *you* recommend one might go on the Internet.to achieve this objective?
>>
>> Why do I ask you? You are one of the few folk on these MS security
>> newsgroups who has taken a great deal of time and trouble to help me
>> better
>> understand these technical matters (FromTheRafters has been another
>> recently - thanks FTR). I do not profess, nor ever have, to be
>> knowledgeable
>> about computers. That doesn't mean that I am stupid and ignorant .......
>> as
>> some here would have you believe!
>>
>> I did not come to these groups to solve my malware problems, rather to
>> investigate how, and by whom, machines are infected in the first place. I
>> basically trust no-one and don't believe something simply because it is
>> showing on a screen in front of me. Nor do I blindly follow
>> 'instructions'
>> from any Tom, Dick or Harry (or even David H Lipman - whose credentials
>> are
>> completely unknown - yet who struts around these groups as if he is Lord
>> of
>> the manor!).
>>
>> The average guy who proceeds to a forum, downloads all manner of magical
>> programmes to help fix his /her PC (under instruction, of course) will
>> have
>> absolutely no idea if their machine has *really* been cleaned - as long
>> as
>> it 'works', that will be sufficient. Lambs to the slaughter perhaps?
>>
>>
>> Thanks for listening,
>>
>> Dave
>
> We are stealing this thread from one with a huge problem and great need.
>
> Let's begin another thread.
>
> Our apologies to all that read are blatherings.
>
> --
> 1PW
>
> @?6A62?FEH9E=6o2@=]4@> [r4o7t]

--

OK - I'll start a new thread 'Lambs to the slaughter perhaps?'

Dave

--

 

[Øyvind Granberg]

I will... as soon as mr. Lipmans ENORMOUS four step virus killer quest is
over.


> You might try reporting the problem in General Malwarebytes' Anti-Malware
> Forum
>
> or via contact page
>
> They are normally responsive
>
>
> John

 

[Øyvind Granberg]

My HiJackThis log do not reveal anything suspecious.
Not what I can see.
No item in category #017 i listed.

Here is teh problem as reported in Malwarebytes:

Registerfiler infisert:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer
(Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0bbac451-a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer
(Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer
(Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0bbac451-a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer
(Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
Quarantined and deleted successfully.

I have deleted them using MBAM and manually deleting these four or six
entries in the registry.
No dice!!
Somewhere there is a file which reestablishing these registry keys again.
Where?

--

Vennlig hilsen
Øyvind Granberg

tresfjording@live.no
www.tresfjording.com

"David H. Lipman" skrev i nyhetsmeldingen:
ubbZkPgRJHA.3516@TK2MSFTNGP03.phx.gbl ...
> From: "Øyvind Granberg"
>
> | Your procedure involves hundres of MB's to download.
> | Aren't we here shooting sparrow with cannons?
>
> My procedure was for you to post in and Expert Forum and i don't see how
> it would require
> hundred of MB's of download.
>
> If you are talking about my Multi AV Scanning Tool, I never suggested you
> use it.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

 

[Peter Foldes]

And while it is running you are using the computer to post here among other things. Wonderful

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"Øyvind Granberg" wrote in message news:%239I7dhmRJHA.1960@TK2MSFTNGP04.phx.gbl...
>I will... as soon as mr. Lipmans ENORMOUS four step virus killer quest is
> over.
>
>
>> You might try reporting the problem in General Malwarebytes' Anti-Malware
>> Forum
>>
>> or via contact page
>>
>> They are normally responsive
>>
>>
>> John
>

 

[David H. Lipman]

From: "Øyvind Granberg"

| My HiJackThis log do not reveal anything suspecious.
| Not what I can see.
| No item in category #017 i listed.

| Here is teh problem as reported in Malwarebytes:

| Registerfiler infisert:
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer
| (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
| Quarantined and deleted successfully.
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{
| 0bbac451-a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer
| (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
| Quarantined and deleted successfully.
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer
| (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
| Quarantined and deleted successfully.
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0bbac451-
| a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer
| (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 ->
| Quarantined and deleted successfully.

| I have deleted them using MBAM and manually deleting these four or six
| entries in the registry.
| No dice!!
| Somewhere there is a file which reestablishing these registry keys again.
| Where?

Assuming you SOHO Router is at; 192.168.1.1

Go into your router; http://192.168.1.1 and examine the DNS entries.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[FromTheRafters]

"David H. Lipman" wrote in message
news:ubbZkPgRJHA.3516@TK2MSFTNGP03.phx.gbl...
> From: "Øyvind Granberg"
>
> | Your procedure involves hundres of MB's to download.
> | Aren't we here shooting sparrow with cannons?
>
> My procedure was for you to post in and Expert Forum and i don't see how
> it would require
> hundred of MB's of download.
>
> If you are talking about my Multi AV Scanning Tool, I never suggested you
> use it.

To be honest David, I didn't ever see that post to this poster
where you suggested the usual expert route. I *did* see the
post by Malke where it is suggested to try your tool.

I thought it was strange at the time, but assumed the post you
referred to was in a another group or thread which I am not
monitoring.

....the way these web to usenet gateways seem to mess up the
threading and the way the posters change subjects mid thread
make it all a jumble.

....and then there's ~BD~ who does it on purpose.

 

[David H. Lipman]

From: "FromTheRafters"



| To be honest David, I didn't ever see that post to this poster
| where you suggested the usual expert route. I *did* see the
| post by Malke where it is suggested to try your tool.

| I thought it was strange at the time, but assumed the post you
| referred to was in a another group or thread which I am not
| monitoring.

| ...the way these web to usenet gateways seem to mess up the
| threading and the way the posters change subjects mid thread
| make it all a jumble.

| ...and then there's ~BD~ who does it on purpose.


Posted in; alt. comp. anti-virus
Post subject: Re: I can't download...
Date; Sunday, November 09, 2008 3:01 PM

He posted (my time) at 2:54 PM just minutes befor posting

Posted in; microsoft.public.security.virus
Post Subject: Do I have a virus?
Date: Sunday, November 09, 2008 2:58 PM

Basically your Multi-Post with two different subjects.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[FromTheRafters]

"David H. Lipman" wrote in message
news:exdjanqRJHA.6060@TK2MSFTNGP06.phx.gbl...
> From: "FromTheRafters"
>
>
>
> | To be honest David, I didn't ever see that post to this poster
> | where you suggested the usual expert route. I *did* see the
> | post by Malke where it is suggested to try your tool.
>
> | I thought it was strange at the time, but assumed the post you
> | referred to was in a another group or thread which I am not
> | monitoring.
>
> | ...the way these web to usenet gateways seem to mess up the
> | threading and the way the posters change subjects mid thread
> | make it all a jumble.
>
> | ...and then there's ~BD~ who does it on purpose.
>
>
> Posted in; alt. comp. anti-virus
> Post subject: Re: I can't download...
> Date; Sunday, November 09, 2008 3:01 PM
>
> He posted (my time) at 2:54 PM just minutes befor posting
>
> Posted in; microsoft.public.security.virus
> Post Subject: Do I have a virus?
> Date: Sunday, November 09, 2008 2:58 PM
>
> Basically your Multi-Post with two different subjects.

Thanks, I suspected as much.

 

[~BD~]

Hello again Øyvind - How are things going?

Have you had to wield your mighty sword yet?

Dave

--

 

[~BD~]

"~BD~" wrote in message
news:OnH4lmASJHA.5348@TK2MSFTNGP02.phx.gbl...
>
> Hello again Øyvind - How are things going?
>
> Have you had to wield your mighty sword yet?
>
> Dave
>
> --
>
>

Maybe this will help

(A post by Bill Castner of Aumha.net
http://www.aumha.net/viewtopic.php?f=30&t=36886 )

********************************************

There is a widespread DNS Hijacker going around that requires unusual
measures to resolve. By posting this in a single and editable location, it I
hope is a convenience to both me, and the Forum.

How Do You Know If You Have This Malware Infection?
While the adware it will popup is aggressively more so than typical adware
infections, the DNS redirection is easy to test.
Try the following in your Browser address bar:

download.microsoft.com

If you end up anywhere other than the official Microsoft Download Center,
keep reading. For all others, you may have something else.

So Now What?

1. Create a "tookit". Download the following to your Desktop and not any
other location or Folder:

GMER: http://www.gmer.net/index.php
Malwarebytes Anti-Malware -- MBAM (if you have this installed, Uninstall it
and download it again): http://www.malwarebytes.org/mbam.php
PrevX CSI: http://www.prevx.com/freescan.asp

2. Run MBAM. If it wants to reboot when finished, do so.
3. Run Prevx CSI. If it wants to reboot when finished do so.
4. Make sure you know the setup information for your router. You want to
access the router configuration pages, and write down any information
necessary to authenticate with your ISP. Please write this down, if you do
not have a record elsewhere of this information. When in doubt, call your
ISP and ask what is needed in the authentication fields of the router.
4. Shut down your computer, and any other computer connected to your router.
5. On the back of the router, there should be a small hole or button
labelled RESET. Using a bent paper clip or similar item, hold that in
continuously for twenty seconds. Unplug the router. Wait sixty seconds. Now
holding again the reset button, plug it back in. Continue holding the reset
button for twenty seconds. Unplug the router again.
6. With the router unplugged, start your computer. Run MBAM again.
7. Run Prevx CSI again.
8. Connect again to the router. The turn the router back on. When it
stabilizes, reboot your workstation and try to aceess the internet. If you
have any issues, access the Router configuration page and re-enter your
authentication information.
9. Reboot the workstation and do a final test.

Special Note and Reading List:

Several folks have asked why they have to RESET the router. And how on earth
could malware effect the router in the first place? There are, that I have
seen in the last week, in wide distribution, at least four malware
infections, one rootkit-based, that at present do exactly this; and have
since the last week in October. As to how this can be done, please read this
short Article: http://www.geekstogo.com/2008/04/08/hav ... read-this/

Does this mean you throw out your router and replace it? No. You do at least
the RESET operation I described above. If you are exceedling cautious about
the matter, visit your router manufacturer's website and download the newest
firmware release for your router. Then reflash the router firmware. Since
there are literally thousands of router models out there, I cannot advise
you about how to reflash your router firmware. The manufacturer's website
should have utilities and instructions for doing so. I cannot answser any
specific questions as to how to do this. In most cases, I consider a reflash
of the firmware unnecessary.

 

[David H. Lipman]

From: "~BD~"


< snip >

| Several folks have asked why they have to RESET the router. And how on earth
| could malware effect the router in the first place? There are, that I have
| seen in the last week, in wide distribution, at least four malware
| infections, one rootkit-based, that at present do exactly this; and have
| since the last week in October. As to how this can be done, please read this
| short Article: http://www.geekstogo.com/2008/04/08/hav ... read-this/

| Does this mean you throw out your router and replace it? No. You do at least
| the RESET operation I described above. If you are exceedling cautious about
| the matter, visit your router manufacturer's website and download the newest
| firmware release for your router. Then reflash the router firmware. Since
| there are literally thousands of router models out there, I cannot advise
| you about how to reflash your router firmware. The manufacturer's website
| should have utilities and instructions for doing so. I cannot answser any
| specific questions as to how to do this. In most cases, I consider a reflash
| of the firmware unnecessary.


What is NOT mentioned and should have been is that the SOHO Router should be enabled with
a Strong Password.

I agree that flashing the Router's FirmWare is not needed.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[~BD~]

FYI David - I've just finished a scan with the Windows Live Safety Scanner

There were some minor Registry errors but of more concern was notification
of the presence of 'Trojan Win32/AgentBypass.gen!k' details of which I found
here:-
http://onecare.live.com/site/en-gb/virusen...entBypass.gen!K

Port 80 was also found Open.

The price of experimentation I suppose!

Dave

--

"David H. Lipman" wrote in message
news:OH3%23LHBSJHA.5860@TK2MSFTNGP02.phx.gbl...
> From: "~BD~"
>
>
> < snip >
>
> | Several folks have asked why they have to RESET the router. And how on
> earth
> | could malware effect the router in the first place? There are, that I
> have
> | seen in the last week, in wide distribution, at least four malware
> | infections, one rootkit-based, that at present do exactly this; and have
> | since the last week in October. As to how this can be done, please read
> this
> | short Article: http://www.geekstogo.com/2008/04/08/hav ... read-this/
>
> | Does this mean you throw out your router and replace it? No. You do at
> least
> | the RESET operation I described above. If you are exceedling cautious
> about
> | the matter, visit your router manufacturer's website and download the
> newest
> | firmware release for your router. Then reflash the router firmware.
> Since
> | there are literally thousands of router models out there, I cannot
> advise
> | you about how to reflash your router firmware. The manufacturer's
> website
> | should have utilities and instructions for doing so. I cannot answser
> any
> | specific questions as to how to do this. In most cases, I consider a
> reflash
> | of the firmware unnecessary.
>
>
> What is NOT mentioned and should have been is that the SOHO Router should
> be enabled with
> a Strong Password.
>
> I agree that flashing the Router's FirmWare is not needed.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

 

[Øyvind Granberg]

Re: dnsChange virus SOLVED...

Hi !!

I am glad to inform you that I have taken care of the Zlob.dnschanger
trojan. It's a trojan and therefore not contageous as viruses are. You have
to taken some action yourself in order to get it.

It has changed the configuration in my Linksys wireless router to detour all
traffic to their pages.
Se this link for mor info:
http://tresfjording.com/docs/2008-11-16_165353.png

All I did was to log on to the router, change all numbers in all three
Static DNS #1, 2 and 3 to null.
Then I changed the password... very important!

After that I ran Malwarebyte Anti Malware and it found two instances of
malware which it successfully removed.

This procedure fixed all eight laptops and the desktop in the household.

This information for your convenience!

This is a fairly new method of messing up your computer and it takes
advantage of sloppy wireless router owner still running behind the well
known factory password. Also if you like me accidently tap in the info when
a dialog box asks for it, please kick yourself in the butt! Hard!

Then trojan reports computer activity and keyloggs to its principals.

I am glad I worked it out.

All systems green still five hours after the cleaning....

Have a nice day!


--

Vennlig hilsen
Øyvind Granberg

tresfjording@live.no
www.tresfjording.com

"The only thing between me and my goals is my own ignorance"
(granberg - 2008)

 

[Øyvind Granberg]

The problem is that it changes the DNS entries in your wireless router, not
your ADSL router, and every time MBAM deleted registry entries, it reintated
them through the web pages those new DNS adresse pointed to.

See my latest reply to this thread and spred the word.

--øg--
A not so perturbed Norwegian Viking!
My sword is still sharp...

 

[David H. Lipman]

From: "Øyvind Granberg"

| The problem is that it changes the DNS entries in your wireless router, not
| your ADSL router, and every time MBAM deleted registry entries, it reintated
| them through the web pages those new DNS adresse pointed to.

| See my latest reply to this thread and spred the word.

Wired or wireles... NO DIFFERENCE!

As I stated a SOHO Router. SOHO -- Small Office Home Office.

As I posted earlier, the DNSChanger injects a DLL into the Windows Spooler Service. The
Spooler Service is restarted and it communicates to the Router. It doesn't make a
difference if you are wred throufg a RJ45 Ethernet port or if you attached wirelessly.
The Spooler Service is hijacked (so to speak) and communicates to the router such as
192.168.1.1 It will then use a dictionary of known passwords (or other methodology) to
gain access to the Routers DNS entrries. Once the DNSChanger modifies the DNS table of
the Router any node that obtains an IP address from the Router via DHCP will gain the DNS
entries the trojan has entered. Thus *any* device that obtains a DHCP lease from the
Router will be using the DNS entries the trojan has inserted.

There are Routers that combine a DSL modem with a Router such as a a Westell 6100 and
there are standalone Routers from DLink, Linksys, Netgear, etc. All are affected IFF the
user uses the manufacturers default password.

As of yet, I have not heard of uPnP or protocols being used to bypass authentication at
TCP port 80.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Leythos]

Re: dnsChange virus SOLVED...

In article ,
tresfjording@live.no says...
> I am glad to inform you that I have taken care of the Zlob.dnschanger
> trojan. It's a trojan and therefore not contageous as viruses are. You have
> to taken some action yourself in order to get it.
>
> It has changed the configuration in my Linksys wireless router to detour all
> traffic to their pages.
> Se this link for mor info:
> http://tresfjording.com/docs/2008-11-16_165353.png
>

If you had disabled UPNP, not used the default network subnet, not used
the default password or not provided the password to some program, it
could not have changed it.

Disable UPNP, change from 192.168.0.1 to 192.168.128.1 on the router,
change the password, update the firmware if possible.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

 

[Øyvind Granberg]

Re: dnsChange virus SOLVED...

I'll look into that...


--

Vennlig hilsen
Øyvind Granberg

tresfjording@live.no
www.tresfjording.com

"Leythos" skrev i nyhetsmeldingen:
MPG.238aad60d8793a2a9896eb@us.news.astraweb.com ...
>
> Disable UPNP, change from 192.168.0.1 to 192.168.128.1 on the router,
> change the password, update the firmware if possible.
>
>
> --
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)