DNS changer virus rampant

Status
Not open for further replies.

techguy911

Distinguished
Jun 8, 2007
251
0
18,940
After cleaning a whole lot of computers for customers i have stumbled upon a virus - not really a virus it changes your dns to a machine where your dns is resolved acting as a go through , the machine then checks for important information ie credit card numbers, social security ect.

The thing is NO virus scanner can pick them up as they are not a virus ,there are no files so no anti-virus or anti-spyware product cannot detect the change to your registry, there is no set value each isp has there own dns.

So far over 50 machines have this , you can get from facebook, myspace looks like a harmless video click here than BLAM your dns is hijacked.


 

j20

Distinguished
Nov 21, 2008
1
0
18,510
Hello,

I have found the same issue on my laptop.
A dns hijacker that keeps changing the dns allthough I put it back. I have Avast Pro for antivirus prog and nothing was triggered there.
Have you come up with a solution so far, besides starting to mess with the registry ?
Thx.
J20
 

shiv666

Distinguished
Dec 3, 2008
7
0
18,510
one idea... go to control panel/administrative tools/services....look for "dns client" double click on it to get its menu... switch it to "disabled" and "stop" it...hit apply...if you are in a network that uses "active directory domains" then this might not help...otherwise its fine...no dns client for the virus to hijack anymore....internet will work just fine...ive been disabling dns client for years...

 
G

Guest

Guest
You are a genius *bow*bow* That worked perfectly! Thank you thank you thank you.
 

gbrown23

Distinguished
Mar 23, 2009
1
0
18,510



i downloaded a trojan dns hijack and my cpu wont connect to the internet anymore...i ran a virus scan and it said they were all removed but my cpu still wont connect to the internet..i have windows xp and it doesnt even say that a network is present even when the ethernet cable is plugged in..is there anything i can do?
 

aadit

Distinguished
Mar 28, 2009
2
0
18,510
One way to fix the DNS. Changer is to get the free Malwarebytes Anti-Malware. A shareware software which you can download and give it a try at malwarebytes.org :bounce: . It is a great software which fixed the same problem very easily. Read the Steps:

Donwload the latest version of the software from the site(from a normal computer) and install it on the infected one.

Restart your computer in safe mode and give this a full scan (it could take about 1 hour, so be patient)

And see the results, it finds all the viruses, trojans, dialers, DNS.Changer and all the like.

Thanks for reading and have a good day.
 

hmmmm

Distinguished
Sep 15, 2009
1
0
18,510
Note I ran ALL THE ANTIVIRUS and NONE picked up on this one, net search foujnd many had samer result. I suspect this thing is bigger then reported as it takes you off line.. it got by two of my AV"s Avast and Comodo.. NOW installed hijack ths to get reports, so can send anyh HT reports asked for, will cut and paste it to disc, and get it on this machine as infected is down. SO NOT CANNOT DOWNLOAD TO INFECTED MACHINE. Details follows
REPEAT MESSAGE
lSep 5 I think I got a virus from email marked as Urgent, from old friend so I opened it. I THINK that was source as had a odd canned message about "virus warning" deleted but it seems not in time. Then got two more of same so probably was source, days later got another one on "not an issues" etc from another person that was on email list, seems still going on. I told them to remove my name email until they cleared it up and to NOT reply to my message.
.End result of virus.
SERIOUS: It shut down PC to DSL earthnet card to dsl router as internet connection is fine. When I try to go online first get message "MS Installing SCAN" and it proceeds as if in normal install mode. Noted on WR 2.2 (What's Running) this "Install" starts via ms install and ID's self as msiexec.exe and is exact copy of msiexec,exe. Install, looks like uses msi to mask itself, as a install runs down to point it asks for CD.. WHEN I "Cancel" install, simply restarts self and even does it after using task manger to "end task". NOTE when starting in safe mode, it will flash as attempt to run, but will not go. Safe with network will NOT concoct in same manner as "normal" will not..

My internet connection is via 4 hookup dsl router, other two PCs on it works fine. This is ole 1998 PCm win98 and not a lot of HD-memory-etc. I pulled other one off the DSL to prevent spread as this one is networked to it, a back up if all else fails I kept handy, this PC is on same dsl router, DSL HW is not an issue. Infected PC will ping OK, Now left with virus may be after TCP or such. DO NOT know how to test TCP etc, but did reinstall new earthnet card config. Have heard where this can set up a "hidden" address or such but have NO idea of what that is or how to check it out, as supposedly can conflict TCP or router? Ideas there? But not core issue as it would not start "install" when I try to go online.

NOTE infected PC CANNOT get "connected' but all www-emails-etc are DSN"s "cannot find server". Tried everything so far, virus scans AVAST COMODO were there, they will NOT find it.. manually cleaned "Trojans-hijacker-tracking etc from registry active x, ran mawlare and avg via CD made off other machine. Ran a regedit listing of backdoor etc I got off www sites, it found a few issues but virus still there.

ANY ideas, "format" is not an option. Do NOT recommend any "run virus scan from //// as PC wiill NOT go on line, all has to be from CD that copies off other PC, OK? NOTE when I run "WR2.2 (whats running SW) I can see the thing come through msiexec.exe as a sub routine, Something starts msi and uses copy to mask itself.. as the "msi" I see as subroutine from msi (legit( is exact copy, shut it down and whatever runs under it goes away, for a time. It seems to have a timer as goes more destructive and after 1-2 hours goes into shut down restart loop.. When in 'SAFE" I can see "install" flash on but is shut off or not allowed to start..
IDEAS as spent ONE week trying about all I can find.. HELP
 

WAldred

Distinguished
Nov 19, 2009
1
0
18,510
I recently experienced these same symptoms with a client of mine. What was interesting is that I found that the DNS settings kept being set to 216.146.35.35. I Googled this IP address and found that DynDns has a new feature on its client called "Internet Guide" that will change your DNS settings to the 216.146.35.35 settings I mentioned. I can't say this is what all of you are experiencing but maybe googling the IP address might find some answers for you. Good luck!
 

gogh

Distinguished
Dec 28, 2009
1
0
18,510


That was exactly it for my issue. To change that property, goto Dyndns in your icons, (bottom Right). open DynDNS>Advanced>Uncheck "Enable DynDNS.com Internet Guide on this PC" I found that this is new to version 4.1.4. I have also disabled my DNS services in my services.msc. Most home users will find this to be a good solution. I always run my machines as a fixed IP so I can port to each remotely. Just manually put the DNS1 to whatever the default IP for your router is. If you havent changed this number, than its probably still at default. Linksys=192.168.1.1, dlink=192.168.0.1, 2wire=192.168.1.245. be aware, if you shut down your DNS service, you will have to input the DNS address manually. Its located in the network adaptor propertys, (TCP/IP v4)
 
G

Guest

Guest
Ok I just got in a fight with this virus and won so i'm here to tell you about it. I went to Start>Control Panel>Administrative Tools>Services. The list should be be alphabetically ordered, it it's not you can press on the "Name" tab to sort alphabetically. Look down the list and find the service "Web Client". Stop the "Web Client" service and go up the list and find the service "DNS Client". Restart the "DNS Client" service and you should be able to access the internet and download malwarebytes
http://www.filehippo.com/download_m...re/download/bf7bdc016623eccdb800a61c3de8dfea/

Scan your computer, restart it when malwarebytes asks you to, and the computer should start up to settings and restart the "Web Client" service on its own. After you scan make sure you lock your computer down with firewalls and a virus program that does realtime scanning of incoming files, because this Trojan is part of a "fraud pack" and you may have just dodged a bullet.
 

jjman42

Distinguished
Jun 28, 2010
1
0
18,510
I found a file on one of my machines and ran it on a development PC. The file name is ac0a168b.exe in the Application Data folder. It has a Icon with a Camel on it. I had to stop the service and delete the profile.
 
Status
Not open for further replies.