DNS Changer Trojan

Fed up talking videogames? Why?
User avatar
Alvin Flummux
Member
Joined in 2008
Contact:

PostDNS Changer Trojan
by Alvin Flummux » Thu May 11, 2017 4:00 am

A week or so ago, Malwarebytes on my PC began picking up a lot of strange outgoing connections, and AVG detected the DNS Changer Trojan. Scanning with Malwarebytes picked up a bunch of nasty malwares related to DNS Changer. So, as you do, I removed them, but the very next night they were back, and for no good reason, as I was playing Civ6 at the time. The wife has also had the alerts about them come up, during her Sims sessions. It's not dependent on the PC being in use, either, as I've come back to the computer after having left it idling and found the alerts up on the screen as well.

Image


It always starts happening at about 10:30pm each night without fail, and I can't for the life of me figure out why. Googling doesn't reveal anything, and I'm at a loss as to what to do to keep it from coming back. What should I be doing?

User avatar
Errkal
Member
Joined in 2011
Location: Hastings
Contact:

PostRe: DNS Changer Trojan
by Errkal » Thu May 11, 2017 6:07 am

Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.

User avatar
Qikz
#420BlazeIt ♥
Joined in 2011

PostRe: DNS Changer Trojan
by Qikz » Thu May 11, 2017 7:00 am

Go into safe mode and run malwarebytes from there.

The Watching Artist wrote:I feel so inept next to Qikz...
User avatar
Alvin Flummux
Member
Joined in 2008
Contact:

PostRe: DNS Changer Trojan
by Alvin Flummux » Thu May 11, 2017 12:00 pm

Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.

User avatar
Errkal
Member
Joined in 2011
Location: Hastings
Contact:

PostRe: DNS Changer Trojan
by Errkal » Thu May 11, 2017 1:23 pm

Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.

User avatar
Alvin Flummux
Member
Joined in 2008
Contact:

PostRe: DNS Changer Trojan
by Alvin Flummux » Fri May 12, 2017 12:08 am

Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image

User avatar
Errkal
Member
Joined in 2011
Location: Hastings
Contact:

PostRe: DNS Changer Trojan
by Errkal » Fri May 12, 2017 6:50 am

Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired

User avatar
Alvin Flummux
Member
Joined in 2008
Contact:

PostRe: DNS Changer Trojan
by Alvin Flummux » Fri May 12, 2017 11:10 am

Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image

User avatar
Errkal
Member
Joined in 2011
Location: Hastings
Contact:

PostRe: DNS Changer Trojan
by Errkal » Fri May 12, 2017 11:12 am

Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image


Can you copy and paste the text from the boxes in image 2, i need to see the whole command.

User avatar
Alvin Flummux
Member
Joined in 2008
Contact:

PostRe: DNS Changer Trojan
by Alvin Flummux » Fri May 12, 2017 11:19 am

Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image


Can you copy and paste the text from the boxes in image 2, i need to see the whole command.


Program/Script: C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe

Start in: C:\Windows\system32\WindowsPowershell\v1.0

User avatar
Errkal
Member
Joined in 2011
Location: Hastings
Contact:

PostRe: DNS Changer Trojan
by Errkal » Fri May 12, 2017 11:34 am

Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image


Can you copy and paste the text from the boxes in image 2, i need to see the whole command.


Program/Script: C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe

Start in: C:\Windows\system32\WindowsPowershell\v1.0


Thanks, well in itself it isn't suspicious as it is just PowerShell being launched, but I dont understand why it would be being launched.

If it was me I would disable it (right click the option in task scheduler and select Disable) then see what happens, there is a risk however it is there for a reason (what that is I dont know, and I can't think why it would be there) and it breaks something so I would avoid rebooting "just in case" until after the time the issue you see with malwarebytes etc. normally happens, if it doesn't happen then I would think we gotit, leave it disabled, if it happens that was something else you can probably re-enable the task.

User avatar
That
Dr. Nyaaa~!
Dr. Nyaaa~!
Joined in 2008

PostRe: DNS Changer Trojan
by That » Fri May 12, 2017 11:55 am

Err, you can see the arguments on his first screenshot. It's launching an 'encoded command', which is a common obfuscation vector for malware. It's definitely that service, so go ahead and disable it, then boot into Safe Mode and run your antivirus suite again.

Image
User avatar
Errkal
Member
Joined in 2011
Location: Hastings
Contact:

PostRe: DNS Changer Trojan
by Errkal » Fri May 12, 2017 11:58 am

Karl wrote:Err, you can see the arguments on his first screenshot. It's launching an 'encoded command', which is a common obfuscation vector for malware. It's definitely that service, so go ahead and disable it, then boot into Safe Mode and run your antivirus suite again.


gooseberry fool so it does!

Sorry I looked at the window and totally didn't see the mouse over tool tip doodal :fp:

Yeah thats the shitter, disable away.

User avatar
Alvin Flummux
Member
Joined in 2008
Contact:

PostRe: DNS Changer Trojan
by Alvin Flummux » Fri May 12, 2017 12:11 pm

Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image


Can you copy and paste the text from the boxes in image 2, i need to see the whole command.


Program/Script: C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe

Start in: C:\Windows\system32\WindowsPowershell\v1.0


Thanks, well in itself it isn't suspicious as it is just PowerShell being launched, but I dont understand why it would be being launched.

If it was me I would disable it (right click the option in task scheduler and select Disable) then see what happens, there is a risk however it is there for a reason (what that is I dont know, and I can't think why it would be there) and it breaks something so I would avoid rebooting "just in case" until after the time the issue you see with malwarebytes etc. normally happens, if it doesn't happen then I would think we gotit, leave it disabled, if it happens that was something else you can probably re-enable the task.


Thanks for the help, man! We'll see what happens tonight. Fingers crossed. :shifty:

User avatar
Alvin Flummux
Member
Joined in 2008
Contact:

PostRe: DNS Changer Trojan
by Alvin Flummux » Sat May 13, 2017 5:16 am

First night with the thing disabled: No Malwarebytes or AVG alerts, no trojans detected during scans.

While I'll be watching for any changes over the coming days, for now I think I'm good! :toot:

Now I wonder if I shouldn't just delete it...

User avatar
Errkal
Member
Joined in 2011
Location: Hastings
Contact:

PostRe: DNS Changer Trojan
by Errkal » Sat May 13, 2017 6:22 am

The task?

Can do, leave it a couple of days to be 100% but deleting will be fine.


Return to “Stuff”

Who is online

Users browsing this forum: addsy087, BTB, massimo, more heat than light, tfsthe, Xeno and 299 guests