cancel
Showing results for 
Search instead for 
Did you mean: 

malware shuts down firewall. DNSChanger!fa ?

Jump to solution

On Windows 7, FF version 7.0.1, I visited a site that resulted in multiple popup windows that advertise a fake online antivirus protection.

After closing the windows, I had new desktop icons and startmenu items named something like "av online protection" that pointed to a folder under appdata with random numbers. I deleted those shortcuts and the associated appdata folders. Thought I was out of the woods.

Approximately every 30 minutes now, when I'm connected to the internet, I receive a warning from McAfee AntiVirus Plus that it has removed a trojan DNSChanger!fa. File: C:\Windows\assembly\temp\U\[random number].$. Process: C:\Windows\system32\svchost.exe.

I am unable to start McAfee Firewall (it starts for 2 seconds, then stops), and can't boot into safe mode with F8 (have to use msconfig instead).

I have run a full scan in McAfee, then Malwarebytes and neither finds anything. Problem still recurring.

McAfee Antivirus DAT was updated 10/19. I'm on Version 11.0 of SecurityCenter, Vesion 15. of VirusScan.

Any ideas?

1 Solution

Accepted Solutions
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: malware shuts down firewall. DNSChanger!fa ?

Jump to solution

Your first action that could solve the entire problem would be to initiate System Restore to a point before all this happened.

It's listed in the Start Menu under All Programs > Accessories > System Tools or simply go to Start/Run and type in rstrui.exe and click Enter.  It takes a while to open.

Don't forget to update McAfee and Windows immediately afterwards.  I trust this is Windows 7 SP1?

Edit: I see you've also posted on BleepingComputer forum...good for you, they are expert at this sort of thing.

Message was edited by: Ex_Brit on 20/10/11 6:45:45 EDT PM
8 Replies
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: malware shuts down firewall. DNSChanger!fa ?

Jump to solution

Your first action that could solve the entire problem would be to initiate System Restore to a point before all this happened.

It's listed in the Start Menu under All Programs > Accessories > System Tools or simply go to Start/Run and type in rstrui.exe and click Enter.  It takes a while to open.

Don't forget to update McAfee and Windows immediately afterwards.  I trust this is Windows 7 SP1?

Edit: I see you've also posted on BleepingComputer forum...good for you, they are expert at this sort of thing.

Message was edited by: Ex_Brit on 20/10/11 6:45:45 EDT PM

Re: malware shuts down firewall. DNSChanger!fa ?

Jump to solution

Hi Ex_Brit

Thanks for the quick response. I don't know why it hadn't occured to me to do a System Restore. Luckily a dell support app was updated a few hours before the apparent time of the infection, so I have a good restore point.

I'm going to head off and try that, thanks.

B

PS Yes I posted to BleepingComputer after hours of hair pulling. They seemed to be backlogged, so I figured if there was a silver bullet that I could find elsewhere, I could avoid the queue ... and that may be just what you've done for me!

Highlighted
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: malware shuts down firewall. DNSChanger!fa ?

Jump to solution

OK good luck.   If successful temporarily disable System Restore afterwards in order to delete the infected restore point.   Be careful how you surf,  what you download or file-share and always keep Windows totally updated, including Internet Explorer, even if you don't use it as other processes do use it.

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 5 of 9

Re: malware shuts down firewall. DNSChanger!fa ?

Jump to solution

Moved this one to Top Threats.

The symptoms are those of an infection by Zero Access. If using System Restore does not fix the problem, go to the VirusTotal website and submit the following file for testing : c:\windows\system32\consrv.dll

There are threads about Zero Access in Top Threats, and posters in this one were reporting the same symptoms that you had. Can you let us know if a System Restore manages to remove the infection?

Re: malware shuts down firewall. DNSChanger!fa ?

Jump to solution

Interesting because after I submitted my original post and before I saw the response, I was trying to turn off and on my Wifi to see if the Mcafee warning of removing DNSChanger!fa only ocurred with an internet connection and if I could see a change in processes that correlated. When the wifi was off for hours, no notifications. When it was on for 5 minutes, they resumed.


After that, I ran a full scan in McAfee again and I got a warning that zeroaccess.e had been found and quarantined. No previous scan after the initial infection turned that up.

I just did a restore to a point before the issues started. Firewall has been up for 30 minutes now without being disabled. I'm running McAfee and MWBAM now. Will update this when it's completed.

I'm sure everyone thinks this, but I'm very cautious about what I download/execute. The only thing downloaded the day of the infection was an auto-update to Dell Support Center (which I thought I had previously uninstalled). No file attachments to emails, no new program installations, etc. I'm concerned that this is related to the Dell thing.

Thanks for the input.

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 7 of 9

Re: malware shuts down firewall. DNSChanger!fa ?

Jump to solution

It appears that you are OK now....let's hope so.   That is strange regarding the Dell update.   I'm not too sure what to say about that!

Message was edited by: Ex_Brit on 21/10/11 3:07:28 EDT PM

Re: malware shuts down firewall. DNSChanger!fa ?

Jump to solution

I'm good guys, thanks for all the help!

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 9 of 9

Re: malware shuts down firewall. DNSChanger!fa ?

Jump to solution

Good luck..;-)