cancel
Showing results for 
Search instead for 
Did you mean: 
dmag
Level 7

Any body have any experience with DNSChanger!ca

I recently picked up a Trojan that McAfee labeled as DNSChanger!ca. Whenever I startup my computer, after a few minutes, my McAfee realtime scan will give me an alert that it detected the DNSChanger!CA trojan.

The alert will say

C:\windows\system32\tdlwsp.dll                                                                                   quarantined

HKLM\software\microsoft\windows\currentversion\run|pinnacledrivercheck                        quarantined

Process: C:windows\system\svchost.exe

I will then be able to delete the quarantined files (after sending them to McAfee). I also check my system regestry to make sure the "pinnacledrivercheck" entry is gone (I do have pinnacle Studio 10 on my machine) and the entry will be clear. However, two hours later the alert will return and then every two hours after that.

I checked with the Mcafee database on their website and they do have the trojan listed, however they do not have any removal instructions like they do for the other DNSChanger varients. I am assuming it is still to new.

I am running Windows XP home edition SP2 with the latest security updates downloaded. I tried a Windows system restore to a time before the trojan appeared but still have the problem

I downloaded the latest Mcafee updates and ran a full system scan. The scan came out clean but the realtime scan still sees the problem every two hours.

I also downloaded both Spybot and Malwarebytes, downloaded the latest updates, and ran both programs but still have the problem

Other then the Alerts from McAfee my computer does not seem to exhibit any other adverse reactions. Both my Internet Explorer and Firefox seem to function normally, but the Trojan keeps returning.

Any help or advice will be greatly appreciated.

0 Kudos
24 Replies
McAfee Employee

Re: Any body have any experience with DNSChanger!ca

Out of curiosity, do you have System Restore Points enabled? Some variants of DNSChanger are known to hide there. It's possible one or more of your restore points are infected, so periodically it tries to reinfect from there?

I should caution you, if you disable your restore points (which is a best practice when dealing with an infection), you will be unable to restore your system to a previous point. After you are certain the system is malware-free, you can reenable and after some time, build up new restore points.

Here are some instructions for disabling restore points in xp/vista:

http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.aspx

If you're comfortable with losing your old restore points, please disable them and let me know if the detection comes back in 2 hours as it has been.

Also, if this doesn't help, could you please post back with the Software version and Dat/Engine version you're running?

Message was edited by: Somer Pyron on 11/12/09 8:46 AM
Somer L. Pyron
Knowledge Analyst
ServicePortal: support.mcafee.com
Web: www.mcafee.com
0 Kudos
exbrit
Level 21

Re: Any body have any experience with DNSChanger!ca

Adding to what Somer has already said, you might want to boot into Safe Mode after disabling System Restore and running a scan there.  The infection is noted on McAfee's books but doesn't list any particular method for removal.

You can reach Safe Mode by tapping F8 repeatedly while booting up.   Scan in that mode by going to "My Computer" and right-clicking the hard drive and selecting "Scan" from the drop-down menu.

You should also update XP to SP3 a.s.a.p.  Guidelines for that are here:  http://community.mcafee.com/message/6631#6631

Moved to Home User Assistance from General Malware Discussion by the way.

Message was edited by: Ex_Brit on 11/12/09 8:51 AM
0 Kudos
exbrit
Level 21

Re: Any body have any experience with DNSChanger!ca

I just noticed something...one of those items it identified as infected says pinnacledrivercheck.  Are you using any Pinnacle Video Editing software?

If so and you think that this may be a false detection submit it to McAfee using a header False.  See this thread for guidelines: http://community.mcafee.com/message/32859#32859

0 Kudos
dmag
Level 7

Re: Any body have any experience with DNSChanger!ca

I do have Pinnacle software on my machine. After the registry entry was removed I checked to see if the Studio 10 would still function and it seemed to work okay. So either the registry entry was a red herring or it was some obscure Pinnacle command that will come back bite me at a later date. But if push comes to shove I can always reload the Pinnacle.

I'm not prepared to call this a false positive yet. I don't know how common they are but I have been using McAfee products for many years and have never experienced anything like this other than an actual infection. Even though I don't seem to be suffering any other adverse effects I still want to be sure something nasty isn't hiding on the machine.

I will also try running another scan in safe mode.

Thanks

0 Kudos
exbrit
Level 21

Re: Any body have any experience with DNSChanger!ca

dmag wrote:

I do have Pinnacle software on my machine. After the registry entry was removed I checked to see if the Studio 10 would still function and it seemed to work okay. So either the registry entry was a red herring or it was some obscure Pinnacle command that will come back bite me at a later date. But if push comes to shove I can always reload the Pinnacle.

I'm not prepared to call this a false positive yet. I don't know how common they are but I have been using McAfee products for many years and have never experienced anything like this other than an actual infection. Even though I don't seem to be suffering any other adverse effects I still want to be sure something nasty isn't hiding on the machine.

I will also try running another scan in safe mode.

Thanks

It looks like we both posted simultaneously!  It looks like some part of the software that checks for updates or has done so in the past.  Probably not too important.

It might be an idea to submit it to God I mean the Threat Center for further analysis in any case.

Message was edited by: Ex_Brit on 11/12/09 9:27 AM
0 Kudos
dmag
Level 7

Re: Any body have any experience with DNSChanger!ca

Rebooted my machine in safe mode. Turned off system restore. Ran a complete system scan. The scan turned up nothing.

Rebooted my machine back to full status with restore still turned off. After about 5 minutes I got another realtime scan alert:

File name: TDLWSP.DLL

Original Location: C:\Windows\System 32

Quarantined Date: 11/12/2009 5:19:46 PM

Sent to Mcafee: 11/12/2009 5:21:21 PM

Detection NameSmiley Very HappyNSChanger!CA (Trojan)

Items:

C:\Windows\System32\TDLWSP.DLL


Checking the The Detection log showed, in addition to the above information:


Process: C:\WINDOWS\system32\svchost.exe

Process Description: Generic Host Process For Win32 Services

I am running McAfee Security Center, Version: 9.15, Build: 9.15.135

                               Virusscan, Version: 13.15, build: 13.15.102,   Dat Version: 5799.0000, Creation Date: 11/11/2009

                               Personal Firewall: Version 10.15, Build 10.15.103

Interrestingly, the entire time that I was in safe mode, over 5 hours, the realtime scan did not report any alerts. I suspect that the Trojan must be detecting when I am online. I'm going to try a firewall lockdown and see if that keeps me from getting the alerts.

In looking over some other forum entries it seems that some of the DNSChanger variants are rootkits. If that's the case for this particluar Trojan I may be in for a rougher time then I expected.

0 Kudos
McAfee Employee

Re: Any body have any experience with DNSChanger!ca

This is a rootkit. A rootkit relies on the Windows API to hide itself. When you're in safe mode, it may not load. If it doesn't load, it doesn't deliver it's payload (in this case, trying to change settings, hijack your session, or just being generally suspicious). If it doesn't attempt to do something suspicious, it doesn't trip the realtime scanner. In the current environment, rootkits are some of the most difficult threats to clear out once they've gotten on the system. Add to that the clever way they are disguised (frequently as a useful program or an update to a safe program that a user just accepts) and it can be a serious issue.

You might consider booting to safe mode command prompt and running a scan there. It's a lengthy process, I know, but can be good at catching these tough ones. Here's a link to some information and steps on running that scan. Be warned, it can take a very long time. You might want to start it when you're done working for the night and let it run.

As an aside, I would advise that you hold off on checking any type of online banking site until this is cleared up.

Also, If you could, open a dos prompt (Start, run, cmd, ENTER) and type:

netstat -an <ENTER>

I'd like to see if any of the IP addresses shown there connect to port 6666 or 6667 (it would look like this - 127.0.0.1:6667). These are standard IRC communication ports. If you're not using IRC, nothing should be listening on them. I'm just curious to see how this behaves.

Ex_Brit, can you suggest anything I might have overlooked?

Somer L. Pyron
Knowledge Analyst
ServicePortal: support.mcafee.com
Web: www.mcafee.com
0 Kudos
exbrit
Level 21

Re: Any body have any experience with DNSChanger!ca

Not really, you seem to have covered all the bases.

Should the DOS scan prove a problem or not successful there is always BootCD authored by one of our security Moderators secured2k, assuming you have access to a clean machine that can burn CDRW media.

http://community.mcafee.com/thread/6923

Plus, when this is all over, update to SP3.

Message was edited by: Ex_Brit on 11/12/09 4:51 PM
0 Kudos
dmag
Level 7

Re: Any body have any experience with DNSChanger!ca

Thanks for getting back to me so promptly. I will try the DOS scan tonight.

Good advice on the online banking. I was thinking the same thing, or anything involving online purchasing for that matter.

Checked the IRC communications ports no 6666 or 6667.

0 Kudos