DNS Changer Trojan

Fed up talking videogames? Why?
User avatar
Alvin Flummux
Member
Joined in 2008
Location: Wilmington, OH, USA
Contact:

PostDNS Changer Trojan
by Alvin Flummux » Thu May 11, 2017 4:00 am

A week or so ago, Malwarebytes on my PC began picking up a lot of strange outgoing connections, and AVG detected the DNS Changer Trojan. Scanning with Malwarebytes picked up a bunch of nasty malwares related to DNS Changer. So, as you do, I removed them, but the very next night they were back, and for no good reason, as I was playing Civ6 at the time. The wife has also had the alerts about them come up, during her Sims sessions. It's not dependent on the PC being in use, either, as I've come back to the computer after having left it idling and found the alerts up on the screen as well.

Image


It always starts happening at about 10:30pm each night without fail, and I can't for the life of me figure out why. Googling doesn't reveal anything, and I'm at a loss as to what to do to keep it from coming back. What should I be doing?

Jupiter is in your sun sign this week, making it pretty crowded in there, what with Jupiter being the largest of the planets and all.
User avatar
Errkal
Social Sec.
Joined in 2011
Location: Hastings
Contact:

PostRe: DNS Changer Trojan
by Errkal » Thu May 11, 2017 6:07 am

Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.

User avatar
Qikz
Member ♥
Joined in 2011

PostRe: DNS Changer Trojan
by Qikz » Thu May 11, 2017 7:00 am

Go into safe mode and run malwarebytes from there.

Image
The Watching Artist wrote:I feel so inept next to Stay Dead...
User avatar
Alvin Flummux
Member
Joined in 2008
Location: Wilmington, OH, USA
Contact:

PostRe: DNS Changer Trojan
by Alvin Flummux » Thu May 11, 2017 12:00 pm

Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.

Jupiter is in your sun sign this week, making it pretty crowded in there, what with Jupiter being the largest of the planets and all.
User avatar
Errkal
Social Sec.
Joined in 2011
Location: Hastings
Contact:

PostRe: DNS Changer Trojan
by Errkal » Thu May 11, 2017 1:23 pm

Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.

User avatar
Alvin Flummux
Member
Joined in 2008
Location: Wilmington, OH, USA
Contact:

PostRe: DNS Changer Trojan
by Alvin Flummux » Fri May 12, 2017 12:08 am

Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image

Jupiter is in your sun sign this week, making it pretty crowded in there, what with Jupiter being the largest of the planets and all.
User avatar
Errkal
Social Sec.
Joined in 2011
Location: Hastings
Contact:

PostRe: DNS Changer Trojan
by Errkal » Fri May 12, 2017 6:50 am

Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired

User avatar
Alvin Flummux
Member
Joined in 2008
Location: Wilmington, OH, USA
Contact:

PostRe: DNS Changer Trojan
by Alvin Flummux » Fri May 12, 2017 11:10 am

Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image

Jupiter is in your sun sign this week, making it pretty crowded in there, what with Jupiter being the largest of the planets and all.
User avatar
Errkal
Social Sec.
Joined in 2011
Location: Hastings
Contact:

PostRe: DNS Changer Trojan
by Errkal » Fri May 12, 2017 11:12 am

Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image


Can you copy and paste the text from the boxes in image 2, i need to see the whole command.

User avatar
Alvin Flummux
Member
Joined in 2008
Location: Wilmington, OH, USA
Contact:

PostRe: DNS Changer Trojan
by Alvin Flummux » Fri May 12, 2017 11:19 am

Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image


Can you copy and paste the text from the boxes in image 2, i need to see the whole command.


Program/Script: C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe

Start in: C:\Windows\system32\WindowsPowershell\v1.0

Jupiter is in your sun sign this week, making it pretty crowded in there, what with Jupiter being the largest of the planets and all.
User avatar
Errkal
Social Sec.
Joined in 2011
Location: Hastings
Contact:

PostRe: DNS Changer Trojan
by Errkal » Fri May 12, 2017 11:34 am

Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image


Can you copy and paste the text from the boxes in image 2, i need to see the whole command.


Program/Script: C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe

Start in: C:\Windows\system32\WindowsPowershell\v1.0


Thanks, well in itself it isn't suspicious as it is just PowerShell being launched, but I dont understand why it would be being launched.

If it was me I would disable it (right click the option in task scheduler and select Disable) then see what happens, there is a risk however it is there for a reason (what that is I dont know, and I can't think why it would be there) and it breaks something so I would avoid rebooting "just in case" until after the time the issue you see with malwarebytes etc. normally happens, if it doesn't happen then I would think we gotit, leave it disabled, if it happens that was something else you can probably re-enable the task.

User avatar
Karl
Daiakuma
Daiakuma
Joined in 2008
Contact:

PostRe: DNS Changer Trojan
by Karl » Fri May 12, 2017 11:55 am

Err, you can see the arguments on his first screenshot. It's launching an 'encoded command', which is a common obfuscation vector for malware. It's definitely that service, so go ahead and disable it, then boot into Safe Mode and run your antivirus suite again.

User avatar
Errkal
Social Sec.
Joined in 2011
Location: Hastings
Contact:

PostRe: DNS Changer Trojan
by Errkal » Fri May 12, 2017 11:58 am

Karl wrote:Err, you can see the arguments on his first screenshot. It's launching an 'encoded command', which is a common obfuscation vector for malware. It's definitely that service, so go ahead and disable it, then boot into Safe Mode and run your antivirus suite again.


gooseberry fool so it does!

Sorry I looked at the window and totally didn't see the mouse over tool tip doodal :fp:

Yeah thats the shitter, disable away.

User avatar
Alvin Flummux
Member
Joined in 2008
Location: Wilmington, OH, USA
Contact:

PostRe: DNS Changer Trojan
by Alvin Flummux » Fri May 12, 2017 12:11 pm

Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image


Can you copy and paste the text from the boxes in image 2, i need to see the whole command.


Program/Script: C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe

Start in: C:\Windows\system32\WindowsPowershell\v1.0


Thanks, well in itself it isn't suspicious as it is just PowerShell being launched, but I dont understand why it would be being launched.

If it was me I would disable it (right click the option in task scheduler and select Disable) then see what happens, there is a risk however it is there for a reason (what that is I dont know, and I can't think why it would be there) and it breaks something so I would avoid rebooting "just in case" until after the time the issue you see with malwarebytes etc. normally happens, if it doesn't happen then I would think we gotit, leave it disabled, if it happens that was something else you can probably re-enable the task.


Thanks for the help, man! We'll see what happens tonight. Fingers crossed. :shifty:

Jupiter is in your sun sign this week, making it pretty crowded in there, what with Jupiter being the largest of the planets and all.
User avatar
Alvin Flummux
Member
Joined in 2008
Location: Wilmington, OH, USA
Contact:

PostRe: DNS Changer Trojan
by Alvin Flummux » Sat May 13, 2017 5:16 am

First night with the thing disabled: No Malwarebytes or AVG alerts, no trojans detected during scans.

While I'll be watching for any changes over the coming days, for now I think I'm good! :toot:

Now I wonder if I shouldn't just delete it...

Jupiter is in your sun sign this week, making it pretty crowded in there, what with Jupiter being the largest of the planets and all.
User avatar
Errkal
Social Sec.
Joined in 2011
Location: Hastings
Contact:

PostRe: DNS Changer Trojan
by Errkal » Sat May 13, 2017 6:22 am

The task?

Can do, leave it a couple of days to be 100% but deleting will be fine.


Return to “Stuff”

Who is online

Users browsing this forum: No registered users and 41 guests