1 2 3 Previous Next 24 Replies Latest reply on Nov 16, 2009 11:15 AM by dmag Branched to a new discussion.

    Any body have any experience with DNSChanger!ca

      I recently picked up a Trojan that McAfee labeled as DNSChanger!ca. Whenever I startup my computer, after a few minutes, my McAfee realtime scan will give me an alert that it detected the DNSChanger!CA trojan.

       

      The alert will say

      C:\windows\system32\tdlwsp.dll                                                                                    quarantined

      HKLM\software\microsoft\windows\currentversion\run|pinnacledrivercheck                         quarantined

       

      Process: C:windows\system\svchost.exe

       

       

      I will then be able to delete the quarantined files (after sending them to McAfee). I also check my system regestry to make sure the "pinnacledrivercheck" entry is gone (I do have pinnacle Studio 10 on my machine) and the entry will be clear. However, two hours later the alert will return and then every two hours after that.

       

      I checked with the Mcafee database on their website and they do have the trojan listed, however they do not have any removal instructions like they do for the other DNSChanger varients. I am assuming it is still to new.

       

      I am running Windows XP home edition SP2 with the latest security updates downloaded. I tried a Windows system restore to a time before the trojan appeared but still have the problem

       

      I downloaded the latest Mcafee updates and ran a full system scan. The scan came out clean but the realtime scan still sees the problem every two hours.

      I also downloaded both Spybot and Malwarebytes, downloaded the latest updates, and ran both programs but still have the problem

       

      Other then the Alerts from McAfee my computer does not seem to exhibit any other adverse reactions. Both my Internet Explorer and Firefox seem to function normally, but the Trojan keeps returning.

       

      Any help or advice will be greatly appreciated.

        • 1. Re: Any body have any experience with DNSChanger!ca
          SPyron

          Out of curiosity, do you have System Restore Points enabled? Some variants of DNSChanger are known to hide there. It's possible one or more of your restore points are infected, so periodically it tries to reinfect from there?

           

          I should caution you, if you disable your restore points (which is a best practice when dealing with an infection), you will be unable to restore your system to a previous point. After you are certain the system is malware-free, you can reenable and after some time, build up new restore points.

           

          Here are some instructions for disabling restore points in xp/vista:

           

          http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.aspx

           

          If you're comfortable with losing your old restore points, please disable them and let me know if the detection comes back in 2 hours as it has been.

           

          Also, if this doesn't help, could you please post back with the Software version and Dat/Engine version you're running?

           

           

          Message was edited by: Somer Pyron on 11/12/09 8:46 AM
          1 of 1 people found this helpful
          • 2. Re: Any body have any experience with DNSChanger!ca
            Peter M

            Adding to what Somer has already said, you might want to boot into Safe Mode after disabling System Restore and running a scan there.  The infection is noted on McAfee's books but doesn't list any particular method for removal.

             

            You can reach Safe Mode by tapping F8 repeatedly while booting up.   Scan in that mode by going to "My Computer" and right-clicking the hard drive and selecting "Scan" from the drop-down menu.

             

            You should also update XP to SP3 a.s.a.p.  Guidelines for that are here:  http://community.mcafee.com/message/6631#6631

             

            Moved to Home User Assistance from General Malware Discussion by the way.

             

             

            Message was edited by: Ex_Brit on 11/12/09 8:51 AM
            1 of 1 people found this helpful
            • 3. Re: Any body have any experience with DNSChanger!ca
              Peter M

              I just noticed something...one of those items it identified as infected says pinnacledrivercheck.  Are you using any Pinnacle Video Editing software?

               

              If so and you think that this may be a false detection submit it to McAfee using a header False.  See this thread for guidelines: http://community.mcafee.com/message/32859#32859

              • 4. Re: Any body have any experience with DNSChanger!ca

                I have no problem turning off system restore.The issue is on my home machine and I am currently at work, so won't be able to try it till I get home tonight.

                 

                However, if I were a betting man I don't think I would bet on the trojan hiding in any restore files because I didn't have any restore points on file since I first noticed the problem (I did create a restore point last night when I was working with the registry, but that was after numerious alerts had already occured) but it is certainly some good advice and worth a try. Stranger things have happened in the world of computers.

                 

                Thanks, I'll let you know what happens.

                • 5. Re: Any body have any experience with DNSChanger!ca

                  I do have Pinnacle software on my machine. After the registry entry was removed I checked to see if the Studio 10 would still function and it seemed to work okay. So either the registry entry was a red herring or it was some obscure Pinnacle command that will come back bite me at a later date. But if push comes to shove I can always reload the Pinnacle.

                   

                  I'm not prepared to call this a false positive yet. I don't know how common they are but I have been using McAfee products for many years and have never experienced anything like this other than an actual infection. Even though I don't seem to be suffering any other adverse effects I still want to be sure something nasty isn't hiding on the machine.

                   

                  I will also try running another scan in safe mode.

                   

                  Thanks

                  • 7. Re: Any body have any experience with DNSChanger!ca
                    Peter M

                    dmag wrote:

                     

                    I do have Pinnacle software on my machine. After the registry entry was removed I checked to see if the Studio 10 would still function and it seemed to work okay. So either the registry entry was a red herring or it was some obscure Pinnacle command that will come back bite me at a later date. But if push comes to shove I can always reload the Pinnacle.

                     

                    I'm not prepared to call this a false positive yet. I don't know how common they are but I have been using McAfee products for many years and have never experienced anything like this other than an actual infection. Even though I don't seem to be suffering any other adverse effects I still want to be sure something nasty isn't hiding on the machine.

                     

                    I will also try running another scan in safe mode.

                     

                    Thanks

                     

                    It looks like we both posted simultaneously!  It looks like some part of the software that checks for updates or has done so in the past.  Probably not too important.

                     

                    It might be an idea to submit it to God I mean the Threat Center for further analysis in any case.

                     

                     

                    Message was edited by: Ex_Brit on 11/12/09 9:27 AM
                    • 8. Re: Any body have any experience with DNSChanger!ca

                      Rebooted my machine in safe mode. Turned off system restore. Ran a complete system scan. The scan turned up nothing.

                       

                      Rebooted my machine back to full status with restore still turned off. After about 5 minutes I got another realtime scan alert:

                       

                      File name: TDLWSP.DLL

                      Original Location: C:\Windows\System 32

                      Quarantined Date: 11/12/2009 5:19:46 PM

                      Sent to Mcafee: 11/12/2009 5:21:21 PM

                      Detection Name:DNSChanger!CA (Trojan)

                      Items:

                      C:\Windows\System32\TDLWSP.DLL


                      Checking the The Detection log showed, in addition to the above information:


                      Process: C:\WINDOWS\system32\svchost.exe

                      Process Description: Generic Host Process For Win32 Services

                       

                      I am running McAfee Security Center, Version: 9.15, Build: 9.15.135

                                                     Virusscan, Version: 13.15, build: 13.15.102,   Dat Version: 5799.0000, Creation Date: 11/11/2009

                                                     Personal Firewall: Version 10.15, Build 10.15.103

                       

                      Interrestingly, the entire time that I was in safe mode, over 5 hours, the realtime scan did not report any alerts. I suspect that the Trojan must be detecting when I am online. I'm going to try a firewall lockdown and see if that keeps me from getting the alerts.

                       

                      In looking over some other forum entries it seems that some of the DNSChanger variants are rootkits. If that's the case for this particluar Trojan I may be in for a rougher time then I expected.

                      • 9. Re: Any body have any experience with DNSChanger!ca
                        SPyron

                        This is a rootkit. A rootkit relies on the Windows API to hide itself. When you're in safe mode, it may not load. If it doesn't load, it doesn't deliver it's payload (in this case, trying to change settings, hijack your session, or just being generally suspicious). If it doesn't attempt to do something suspicious, it doesn't trip the realtime scanner. In the current environment, rootkits are some of the most difficult threats to clear out once they've gotten on the system. Add to that the clever way they are disguised (frequently as a useful program or an update to a safe program that a user just accepts) and it can be a serious issue.

                         

                        You might consider booting to safe mode command prompt and running a scan there. It's a lengthy process, I know, but can be good at catching these tough ones. Here's a link to some information and steps on running that scan. Be warned, it can take a very long time. You might want to start it when you're done working for the night and let it run.

                         

                         

                        As an aside, I would advise that you hold off on checking any type of online banking site until this is cleared up.

                         

                        Also, If you could, open a dos prompt (Start, run, cmd, ENTER) and type:

                         

                        netstat -an <ENTER>

                         

                        I'd like to see if any of the IP addresses shown there connect to port 6666 or 6667 (it would look like this - 127.0.0.1:6667). These are standard IRC communication ports. If you're not using IRC, nothing should be listening on them. I'm just curious to see how this behaves.

                         

                        Ex_Brit, can you suggest anything I might have overlooked?

                        1 2 3 Previous Next