DNSChanger trojans, Not detected by NAV09

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

Recently I notice a behaviour that indicates DNSChanger trojans infecting on my PC, The DNS keep changing to 85.255.115.51 / 85.255.112.97.

 

My KAV 2009 Could Not Find any Threat. So I download NAV 2009 and did full system scan but it also Could Not Find any Threat. Is there a way to remove this trojans infecting?

As NAN09 not did not find any threat, I have no file(s) in the Quarantine (infected file name) 

I try to edit Registry entries to restor the original DNS, but it keep changing to to 85.255.115.51 / 85.255.112.97.

 

I meant of the Threat on your computer; does not have to be in Quar. for you to Submit a Files; you do not know what the File is yet you know this Internet Threat is on your computer…?

I don not know the infected file yet but I now that the DNS values of the TCP/IP settings keep changing.

 Also I just note that some web site can not be open my PC, (www.boxenclosures.com) but I can open theme on my laptop

Could you please do a search on you PC to see if you have any or all of these files, "kddhc.exe", "kdler.exe" and "step2.exe" (or "step02.exe")

 

In Regedit do a search for "geo"

 

Also look to see if you have

HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services>Tcpip>Parameters>Interfaces>{Network ID}

In the right panel, locate the entry:DhcpNameServer = "*.*.115.51 / *.*.112.97."

 

if yes, you have some variant of the "Zlob.DNS.changer". HJT will show the "DhcpNameServer"

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{58CCE822-2FB0-4BC0-86D7-D8EDA7502C25}: NameServer = *.*.115.51,*.*.112.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{74BAB997-F82C-4618-A2BC-589E75165F20}: NameServer = *.*.115.51,*.*.112.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FFC1693-CE1A-40C8-9ACA-771BC4D65C5B}: NameServer = *.*.115.51,*.*.112.97
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = *.*.115.51 *.*.112.97
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = *.*.115.51 *.*.112.97

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = *.*.115.51 *.*.112.97

 

And may find other entries

 

Thanks

 

Quads

 

 

 [edit: Broke IP's for privacy.]

Message Edited by Allen_K on 09-25-2008 12:18 PM

It might be a good idea to download "winsockfix" for after removal if that is what you have infecting your PC.

 

The list of possible files and registry entries for the Zlob.DNS Changer is huge.

 

 

Quads 

How sure are you you are really infected?

Please rty to download and install a trial of Norton Antibot. You can download it from the main Symantec website. let's see what it can find

Hello Quads

I do a search for the files you listed but I have not found any.

Also I look at the registry and I find the flowing entries

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{06CDCD2B-2156-4291-B66F-9A6C51C9D70E}NameServer *.*.115.51,*.*.112.97

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{135EEC7C-4455-4734-AF1E-BFB42F76B5BB}DhcpNameServer *.*.115.51,*.*.112.97

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{135EEC7C-4455-4734-AF1E-BFB42F76B5BB}NameServer *.*.115.51,*.*.112.97

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{06CDCD2B-2156-4291-B66F-9A6C51C9D70E}NameServer *.*.115.51,*.*.112.97

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{135EEC7C-4455-4734-AF1E-BFB42F76B5BB}NameServer *.*.115.51,*.*.112.97

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{06CDCD2B-2156-4291-B66F-9A6C51C9D70E}NameServer *.*.115.51,*.*.112.97

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{135EEC7C-4455-4734-AF1E-BFB42F76B5BB}DhcpNameServer *.*.115.51,*.*.112.97

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{135EEC7C-4455-4734-AF1E-BFB42F76B5BB} NameServer *.*.115.51,*.*.112.97

Thanks

 

 

 

[edit: Broke IP's for privacy.]

Message Edited by Allen_K on 09-25-2008 12:20 PM

Hello Stu 

I Google “Zlob.DNS.changer”  and download Exterminate It! From “http://www.exterminate-it.com” to scan for any infection with Zlob.

 

Exterminate it! show that my PC are infected with “Zlob.DNS.changer”  and Employee Watcher

 

 

 

Thanks 

Hi

 

So did "Exerminate it fix the problem?? The PC is running smoothy??

 

Quads 

 

I’m Sorry to say that Exterminate It! Did Not clean my PC,

 

I spent hours monitoring the system behaviour and  I cam to conclusion that the Rootkit been changed.

 

The infected files “Kdebn.exe” was deled by KAV09 but after it change the way windows act when clicking on OK bottom on TCP/IP settings windows.

 

As the Rootkit been changed NAV09 and AntBot can not detect any up normal activities.

 

Any one have any idya on restoring the Rootkit.

Hi

 

Both Panda and Sophos has a  free Anti Rootkit scanner.

 

If that was the only file, afterwards the TCP/IP settings you had for that will seem corrupted, The Internet not working properly etc.

 

You could Use "Hijackthis" to see is there is any other file or entry running that shouldn't. For XP, in safe mode with networking (F8) and run winsockfix 1.2,  It fixes Winsock corruption causing the like of Internet connection problems.

  

 

 There is a command that could be used via the "run" feature, type "cmd" the type   "ipconfig /flushdns"

 

Quads 

 

 

You could also do a full Antivirus scan while in safe mode.

 

Quads 

Please Submit this File(s) to symantec Security Response: http://www.symantec.com/business/security_response/submitsamples.jsp