Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need help with a NEW DNS changer virus. 1

Status
Not open for further replies.

lyontl

MIS
Jun 2, 2005
62
US
I have an employee that picked up a DNS changer virus on his laptop and brought it in to share with the rest of us. All it does is change the DNS settings. However, this being a Microsoft AD network, that becomes a problem. I can manually change the DNS settings and it works fine, but that is obviously not a long term solution. The IP addresses that it is giving are:

64.86.133.51 and 63.243.173.162

64.86.133.51 IP address location & more:
IP address [?]: 64.86.133.51 [Copy][Whois] [Reverse IP]
IP address country: Canada
IP address state: Ontario
IP address city: Brampton
IP postcode: l6t5g1
IP address latitude: 43.6833
IP address longitude: -79.7667
ISP of this IP [?]: Teleglobe
Organization: Velcom
Local time in Canada: 2009-03-24 10:57

63.243.173.162 IP address location & more:
IP address [?]: 63.243.173.162 [Copy][Whois] [Reverse IP]
IP address country: Canada
IP address state: Ontario
IP address city: Toronto
IP address latitude: 43.6667
IP address longitude: -79.4168
ISP of this IP [?]: Teleglobe
Organization: Velcom
Local time in Canada: 2009-03-24 10:57


Any help/advice would be greatly appreciated!!!

 
I've tried the latest virus definitions in Symantec and McAfee and I've tried malware bytes, there doesn't seem to be anything in the HijackThis log file, but here it is anyway:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:33 PM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\cclawson\Desktop\Antivirus Tools\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - O16 - DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} (NPRemvuPluginControl) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MagicTilt.local
O17 - HKLM\Software\..\Telephony: DomainName = MagicTilt.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MagicTilt.local
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe

--
End of file - 7854 bytes
 
Get rid of this:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

update JavaRE to the latest version, 1.6.0_3 is out of date and thus a security issue...

This may be the culprit:

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
The Bonjour Service supported by the file mdnsresponder.exe is also described as a zero configuration networking process that provides an automatic discovery feature for services, devices, and computers that are residing on IP based networks. Mdnsresponder.exe utilizes the industry standard IP protocol, which provides devices with an automatic discovery feature without requiring user intervention (when entering IP addresses) or the need for configuring DNS servers.
source:

I would also run MBAM in Safe Mode, also check for Root Kits...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.
 
I've been tracking a similar issue at the University I work for. We could not find any obvious infection with hijackThis, malware scans, or our other usual tools.

I started up Aport and saw that a system process was listening on port 67, and generating the fraudulent DHCP responses. After killing services one by one, we determined the culprit to be the machine's DHCP Client process. Disabling this process and setting the user statically is a temporary solution.

We were unable to examine the machine further and remove the infection entirely. This particular virus/trojan is becoming something of a problem for us, so hopefully we can come up with a way to remove it and allow clients to use DHCP.
 
Hi guys;

You'll want to read:

The only good way to track this down that I know of would be to run wireshark to determine the MAC address that is sending out the false DHCP responses. I haven't confirmed this yet, but the MAC should point you to an IP that is infected on your network.

Good Luck.
 
@CoolAcid -

That's the method we have been using to track down the infected host. It's pretty work-intensive since our network is physically very spread out, but it gets the job done, eventually.
 
@atheros86 - Yep confirmed - worked on our network too. I'll probably write a howto later today.



 
Sorry, forgot to get back and update this thread.

It turns out it was a different machine on the network. Funny, because the problem started on Monday when one guy came to me and said that he opened something that he shouldn't have over the weekend. So my attention was mostly focused on that machine. Then it started happening to other laptops on the network. Then it started to happen to desktops. Finally I decided to put in static IP's until I could sort out the problem. Then I went to my DHCP server to see what was up there. I found it down and after a little research, the issue pointed to an entirely unsuspected machine. I went to that machine and easily removed the virus, then everything else fell into place.

Thanks for all of the help and great posts!
 
lyontl - this may be a silly question but...how did you root out the infected machine and how did you clean it? Did the virus have a name? We have this issue but cannot find the offending machine. We have 4 remote locations in the US, not to mention internation locations.
Thanks.
 
Hi!

Something that looks normal but strikes me odd:
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
I assume you copy/pasted the log directly.
How come "System32" once normal, then with a capital "S"?
[ponder]

Does this occasionally occur with HiJack This?
It doesn't on my machine...

Strange thing, this.

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top