Page 1 of 1

DNS Changer Trojan

Posted: Thu May 11, 2017 4:00 am
by Alvin Flummux
A week or so ago, Malwarebytes on my PC began picking up a lot of strange outgoing connections, and AVG detected the DNS Changer Trojan. Scanning with Malwarebytes picked up a bunch of nasty malwares related to DNS Changer. So, as you do, I removed them, but the very next night they were back, and for no good reason, as I was playing Civ6 at the time. The wife has also had the alerts about them come up, during her Sims sessions. It's not dependent on the PC being in use, either, as I've come back to the computer after having left it idling and found the alerts up on the screen as well.

Image


It always starts happening at about 10:30pm each night without fail, and I can't for the life of me figure out why. Googling doesn't reveal anything, and I'm at a loss as to what to do to keep it from coming back. What should I be doing?

Re: DNS Changer Trojan

Posted: Thu May 11, 2017 6:07 am
by Christmas CrackErrkal
Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.

Re: DNS Changer Trojan

Posted: Thu May 11, 2017 7:00 am
by Qikz
Go into safe mode and run malwarebytes from there.

Re: DNS Changer Trojan

Posted: Thu May 11, 2017 12:00 pm
by Alvin Flummux
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.

Re: DNS Changer Trojan

Posted: Thu May 11, 2017 1:23 pm
by Christmas CrackErrkal
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.

Re: DNS Changer Trojan

Posted: Fri May 12, 2017 12:08 am
by Alvin Flummux
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image

Re: DNS Changer Trojan

Posted: Fri May 12, 2017 6:50 am
by Christmas CrackErrkal
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired

Re: DNS Changer Trojan

Posted: Fri May 12, 2017 11:10 am
by Alvin Flummux
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image

Re: DNS Changer Trojan

Posted: Fri May 12, 2017 11:12 am
by Christmas CrackErrkal
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image


Can you copy and paste the text from the boxes in image 2, i need to see the whole command.

Re: DNS Changer Trojan

Posted: Fri May 12, 2017 11:19 am
by Alvin Flummux
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image


Can you copy and paste the text from the boxes in image 2, i need to see the whole command.


Program/Script: C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe

Start in: C:\Windows\system32\WindowsPowershell\v1.0

Re: DNS Changer Trojan

Posted: Fri May 12, 2017 11:34 am
by Christmas CrackErrkal
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image


Can you copy and paste the text from the boxes in image 2, i need to see the whole command.


Program/Script: C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe

Start in: C:\Windows\system32\WindowsPowershell\v1.0


Thanks, well in itself it isn't suspicious as it is just PowerShell being launched, but I dont understand why it would be being launched.

If it was me I would disable it (right click the option in task scheduler and select Disable) then see what happens, there is a risk however it is there for a reason (what that is I dont know, and I can't think why it would be there) and it breaks something so I would avoid rebooting "just in case" until after the time the issue you see with malwarebytes etc. normally happens, if it doesn't happen then I would think we gotit, leave it disabled, if it happens that was something else you can probably re-enable the task.

Re: DNS Changer Trojan

Posted: Fri May 12, 2017 11:55 am
by Karl
Err, you can see the arguments on his first screenshot. It's launching an 'encoded command', which is a common obfuscation vector for malware. It's definitely that service, so go ahead and disable it, then boot into Safe Mode and run your antivirus suite again.

Re: DNS Changer Trojan

Posted: Fri May 12, 2017 11:58 am
by Christmas CrackErrkal
Karl wrote:Err, you can see the arguments on his first screenshot. It's launching an 'encoded command', which is a common obfuscation vector for malware. It's definitely that service, so go ahead and disable it, then boot into Safe Mode and run your antivirus suite again.


gooseberry fool so it does!

Sorry I looked at the window and totally didn't see the mouse over tool tip doodal :fp:

Yeah thats the shitter, disable away.

Re: DNS Changer Trojan

Posted: Fri May 12, 2017 12:11 pm
by Alvin Flummux
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:
Alvin Flummux wrote:
Errkal wrote:Check task scheduler, if it is starting at a certain time odds are there is a task that is being fired.


Image


This looks suspicious, and the start time matches up perfectly. Should I just go ahead and delete it, or is there a more permanent fix? Or is that the permanent fix?

I've never encountered anything quite like this before, so I'm not sure what I should be doing.


Possible, it is the right time, if you right click and choose "properties" then go to the "Actions" tab what is written in the "Details" column.


Image


Can you select edit and copy the various boxes, the "arguments" on is the important one here as it tells power shell when to do when fired


Image

Image

Image


Can you copy and paste the text from the boxes in image 2, i need to see the whole command.


Program/Script: C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe

Start in: C:\Windows\system32\WindowsPowershell\v1.0


Thanks, well in itself it isn't suspicious as it is just PowerShell being launched, but I dont understand why it would be being launched.

If it was me I would disable it (right click the option in task scheduler and select Disable) then see what happens, there is a risk however it is there for a reason (what that is I dont know, and I can't think why it would be there) and it breaks something so I would avoid rebooting "just in case" until after the time the issue you see with malwarebytes etc. normally happens, if it doesn't happen then I would think we gotit, leave it disabled, if it happens that was something else you can probably re-enable the task.


Thanks for the help, man! We'll see what happens tonight. Fingers crossed. :shifty:

Re: DNS Changer Trojan

Posted: Sat May 13, 2017 5:16 am
by Alvin Flummux
First night with the thing disabled: No Malwarebytes or AVG alerts, no trojans detected during scans.

While I'll be watching for any changes over the coming days, for now I think I'm good! :toot:

Now I wonder if I shouldn't just delete it...

Re: DNS Changer Trojan

Posted: Sat May 13, 2017 6:22 am
by Christmas CrackErrkal
The task?

Can do, leave it a couple of days to be 100% but deleting will be fine.