WARNING****DNSchanger sounds fishy!! Here are a few tricks to check for infection.

Users Online Now: 1,466 (Who's On?)	Visitors Today: 346,884
Pageviews Today: 545,019	Threads Today: 204	Posts Today: 3,330
06:04 AM

Page 1 2 Bottom Search Replies Previous Page Next Page
Search Terms: Highlight Matches
WARNING****DNSchanger sounds fishy!! Here are a few tricks to check for infection.
Nostril Domus Offer Upgrade User ID: 9357516 United States 07/08/2012 08:19 PM Report Abusive Post Report Copyright Violation	WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. DNS changers have been around for quite sometime (see examples below) Why is this variant and different? Why have the big hitters of antivirus been reporting on this one with a removal tool? Why would the FBI setup "Clean Servers" up and allow your traffic to still be redirected? My guess is that they are collecting statistics on every pc that hits their servers. I would not go to that site to have anything checked. Those sites are contractor sites for the FBI/CIA/NSA. Chances that you are infected are pretty low. Just run malwarebytes or any other malware checker. Check for it running via the netstat command. Open a command promt and type netstat -b look and see what connections you have that are connecting to foreign hosts.Run netstat -p udp to check for outbound udp connections for DNS port 53 to foreign hosts. Netstat -p tcp same as above. DNS should not be forwarding outside of your firewall to any outside source from your LAN IP. Check your hosts file for any writes to it as it will bypass all dns settings. That is all for now. This is just a suggestion but the whole thing seems fishy! If this is a variant of the below trojans then they can be detected by up to date antivirus/malware checkers. [link to www.symantec.com] Discovered: April 25, 2005 Updated: February 13, 2007 12:37:53 PM Also Known As: Trojan.Win32.DNSChanger.a [Kas Type: Trojan Horse Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP Trojan.Flush.C is a Trojan horse that modifies the DNS server settings on a compromised computer and redirects the browser to potentially malicious Web sites. Antivirus Protection DatesInitial Rapid Release version April 25, 2005 Latest Rapid Release version April 25, 2005 Initial Daily Certified version April 25, 2005 Latest Daily Certified version April 25, 2005 Initial Weekly Certified release date April 27, 2005 Click here for a more detailed description of Rapid Release and Daily Certified virus definitions. Threat AssessmentWildWild Level: Low Number of Infections: 0 - 49 Number of Sites: 0 - 2 Geographical Distribution: Low Threat Containment: Easy Removal: Moderate DamageDamage Level: Low DistributionDistribution Level: Low [link to www.f-secure.com] Trojan.Win32.DNSChanger.al Lately we got a few samples of this trojan that were named 'PayPal-2.5.200-MSWin32-x86-2005.exe'. This trojan was programmed to change the DNS server name of a victim's computer to 193.227.227.218 address. The Registry key that is affected by this trojan is: [HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces] "NameServer" . Registry Modifications Creates these keys: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random} DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random} NameServer = 85.255.xxx.133,85.255.xxx.xxx HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ NameServer = 85.255.xxx.xxx,85.255.xxx.xxx Last Edited by Nostril Domus on 07/08/2012 08:29 PM

Nostril Domus (OP) User ID: 9357516 United States 07/08/2012 08:34 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection.
Plane User ID: 17096887 Norway 07/08/2012 08:35 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. this is very fishy indeed. it has been making first page news for more than 2 months. and its not a big deal at all. just a hundred thousand computers.. btw they KNOW the IPs of those computers. because those IPs come throught THEIR servers already. so thy could instantly tell if you are infected. but nooooo. let all the noobs panic about some lame computer virus. i gues internet could go down for more people than it should. Last Edited by Plane on 07/08/2012 08:36 PM
12.21.12 User ID: 9992933 United States 07/08/2012 08:37 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. , good info and a suggestion
Nostril Domus (OP) User ID: 9357516 United States 07/08/2012 08:37 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. Maybe its just me being paranoid but why would the FBI keep hosting DNS servers if they know infected clients will hit them?? Maybe to snoop on said computers? And with any infection there is always a notification by your AV provider and updated virus defs and or removal instructions. Something is not adding up.
Anonymous Coward User ID: 19323139 United States 07/08/2012 08:45 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. Malwarebytes doesn't work. Beware!

Plane User ID: 17096887 Norway 07/08/2012 08:48 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. Maybe its just me being paranoid but why would the FBI keep hosting DNS servers if they know infected clients will hit them?? Maybe to snoop on said computers? And with any infection there is always a notification by your AV provider and updated virus defs and or removal instructions. Something is not adding up. Quoting: Nostril Domus this part is prety simple i gues. they dont wana be blamed for shutting down the internet for those people so they give ppl time to clean their computers. and those people are who doesnt have antivirus or doesnt know sht about computers.
Nostril Domus (OP) User ID: 9357516 United States 07/08/2012 08:50 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. Malwarebytes doesn't work. Beware! Quoting: Anonymous Coward 19323139 BS i would use 2 so that you have a better chance at detecting what malwarebytes does not. Your claims that it does not work are false. Use Combofix or spybot if you dont trust malwarebytes.
Nostril Domus (OP) User ID: 9357516 United States 07/08/2012 08:56 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. Maybe its just me being paranoid but why would the FBI keep hosting DNS servers if they know infected clients will hit them?? Maybe to snoop on said computers? And with any infection there is always a notification by your AV provider and updated virus defs and or removal instructions. Something is not adding up. Quoting: Nostril Domus this part is prety simple i gues. they dont wana be blamed for shutting down the internet for those people so they give ppl time to clean their computers. and those people are who doesnt have antivirus or doesnt know sht about computers. Quoting: Plane While i agree with it being the most common answer, this could be solved by taking it to your local PC shop if you dont know shit about PC's. I have never seen the Govt step up to offer a fix for an infected PC ever! The Antivirus companies are usually providing fixes.
Nostril Domus (OP) User ID: 9357516 United States 07/08/2012 09:07 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection.
Anonymous Coward User ID: 14408911 United States 07/08/2012 09:09 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. Maybe its just me being paranoid but why would the FBI keep hosting DNS servers if they know infected clients will hit them?? Maybe to snoop on said computers? And with any infection there is always a notification by your AV provider and updated virus defs and or removal instructions. Something is not adding up. Quoting: Nostril Domus This part is pretty simple I guess. They don't want to be blamed for shutting down the internet for those people, so they give people time to clean their computers, those people who don't have antivirus or don't know sht about computers. Quoting: Plane I agree.
Anonymous Coward User ID: 17888588 United States 07/08/2012 09:19 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. My first thought was that this was BS. I know it is. Now all these people will go to the site to find out if they are affected. 60,0000 computers is NOTHING so why the heck would they care? Sounds really strange.
Nostril Domus (OP) User ID: 9357516 United States 07/08/2012 09:25 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. My first thought was that this was BS. I know it is. Now all these people will go to the site to find out if they are affected. 60,0000 computers is NOTHING so why the heck would they care? Sounds really strange. Quoting: Anonymous Coward 17888588 Glad im not the only one! I would not go anywhere near that site. It may be fine but to error on the side of caution, i would rather be smart and check it myself. However i do know that there are a lot of people that are concerned. I would either take the time to run combofix or malwarebytes and run the netstat commands. Or you could just wait until morning and see. I have a suspicion that most users will not have any issues connecting.
Resister User ID: 1461638 United States 07/08/2012 09:40 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. None one should trust the FBI (or CIA, or NSA, or DHS, or insert government alphabet agency) as far as you could throw the buildings they work in. That said, there really is no security on line. Sure, there are reliable ISPs and webites that are more reliable and trustworthy than others, but really, once your signal goes out of your house/phone/laptop/tablet it is out there where you have no control whatsoever over it. The internet isn't like real life where you can choose to walk only through the good side of town. Servers and websites are all blind allies of varying levels of risk. Happy surfing folks. "God forbid we should ever be 20 years without such a rebellion. The people cannot be all, & always, well informed... If they remain quiet under such misconceptions it is a lethargy, the forerunner of death to the public liberty... Let them take arms... What signify a few lives lost in a century or two? The tree of liberty must be refreshed from time to time with the blood of patriots & tyrants. " - Thomas Jefferson in 1787
Anonymous Coward User ID: 17888588 United States 07/08/2012 09:57 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. Well, I bet if someone didn't have a problem before they went to the site, they damn sure will after they go there!
Nostril Domus (OP) User ID: 9357516 United States 07/08/2012 10:16 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. They could be spreading the Flame virus for spying on you! Flame can gather data files, remotely change settings on computers, turn on PC microphones to record conversations, take screen shots and log instant messaging chats. Kaspersky Lab said Flame and Stuxnet appear to infect machines by exploiting the same flaw in the Windows operating system and that both viruses employ a similar way of spreading. With a new National Security Agency data center coming online and capable of capturing, aggregating and analyzing every digital communication in the United States, cellphones and computers having in excess of 99% penetration across the country, and some 30,000 drones being prepared for domestic operations, we can safely say that a total police state surveillance infrastructure is now in place and fully capable of monitoring everything - and we mean EVERYTHING – that you do. [link to usahitman.com]
Anonymous Coward User ID: 18096709 United States 07/08/2012 10:24 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. I told you knuckleheads last night by asking who was providing the DNS checker. Sounded fishy as can be. A certain poster had Pom Pom's on for you to connect to that scanner by stating "it's so easy" I told you !!
Nostril Domus (OP) User ID: 9357516 United States 07/08/2012 11:03 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection.
Anonymous Coward User ID: 19382816 United States 07/08/2012 11:06 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. nothing is going to happen ..
Nostril Domus (OP) User ID: 9357516 United States 07/08/2012 11:11 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. nothing is going to happen .. Quoting: Anonymous Coward 19382816 Thats the whole point of this thread! But i offered a few tips to see if they were infected.
Anonymous Coward User ID: 18089244 United States 07/08/2012 11:13 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. I have never seen the Govt step up to offer a fix for an infected PC ever! The Antivirus companies are usually providing fixes. Quoting: Nostril Domus Yeah, the Government either does nothing or is complicit with the bad guys
Sandi_T User ID: 15828781 United States 07/08/2012 11:13 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. I don't understand. I ran the netstat, but what should I be seeing? I'm seeing localhost:##### and then there's like, for example: godlikeproductions.com:http So how would I know if something was connecting to foreign hosts? No more requests in the "Strangest things" thread please. :hf: Past Lives requests thread: Thread: That Which Once Was: Past Lives
Nostril Domus (OP) User ID: 9357516 United States 07/08/2012 11:15 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. I don't understand. I ran the netstat, but what should I be seeing? I'm seeing localhost:##### and then there's like, for example: godlikeproductions.com:http So how would I know if something was connecting to foreign hosts? Quoting: Sandi_T If all you have open is GLP and its the only thing showing when you runt the commands the you are good.
Sandi_T User ID: 15828781 United States 07/08/2012 11:18 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. I don't understand. I ran the netstat, but what should I be seeing? I'm seeing localhost:##### and then there's like, for example: godlikeproductions.com:http So how would I know if something was connecting to foreign hosts? Quoting: Sandi_T If all you have open is GLP and its the only thing showing when you runt the commands the you are good. Quoting: Nostril Domus Hmmm, no, I had a couple other things up in firefox. But I also have this 1ga15s28 thing that I don't know what it is. It doesn't go away when I close firefox. and minea11mine something on the -p tcp thing. Last Edited by Sandi_T on 07/08/2012 11:19 PM No more requests in the "Strangest things" thread please. :hf: Past Lives requests thread: Thread: That Which Once Was: Past Lives
Nostril Domus (OP) User ID: 9357516 United States 07/08/2012 11:19 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. I don't understand. I ran the netstat, but what should I be seeing? I'm seeing localhost:##### and then there's like, for example: godlikeproductions.com:http So how would I know if something was connecting to foreign hosts? Quoting: Sandi_T If all you have open is GLP and its the only thing showing when you runt the commands the you are good. Quoting: Nostril Domus Are you seeing something like this? netstat -b Proto Local Address Foreign Address State TCP 172.16.100.11:57752 a23-64-31-144:http TIME_WAIT TCP 172.16.100.11:57777 74:http ESTABLISHED [iexplore.exe] TCP 172.16.100.11:57779 www-slb-10-01-prn1:http ESTABLISHED [iexplore.exe] TCP 172.16.100.11:57780 www-slb-10-01-prn1:http ESTABLISHED [iexplore.exe] TCP 172.16.100.11:57784 atl14s08-in-f9:https ESTABLISHED [iexplore.exe] TCP 172.16.100.11:57785 atl14s08-in-f9:https ESTABLISHED [iexplore.exe] TCP 172.16.100.11:57786 a23-64-31-144:http ESTABLISHED [iexplore.exe] TCP 172.16.100.11:57792 172.35.0.14:http SYN_SENT [PNAMAIN.EXE] TCP 172.16.100.11:57793 172.35.0.15:http SYN_SENT [PNAMAIN.EXE] TCP 172.16.100.11:57794 192.168.180.235:epmap SYN_SENT RpcEptMapper [svchost.exe]
Sandi_T User ID: 15828781 United States 07/08/2012 11:21 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. these don't have the [iexplorer] thing next to them (though I use firefox, but we get the idea here). I do have WMP on though. No more requests in the "Strangest things" thread please. :hf: Past Lives requests thread: Thread: That Which Once Was: Past Lives

Nostril Domus (OP) User ID: 9357516 United States 07/08/2012 11:24 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. I don't understand. I ran the netstat, but what should I be seeing? I'm seeing localhost:##### and then there's like, for example: godlikeproductions.com:http So how would I know if something was connecting to foreign hosts? Quoting: Sandi_T If all you have open is GLP and its the only thing showing when you runt the commands the you are good. Quoting: Nostril Domus Hmmm, no, I had a couple other things up in firefox. But I also have this 1ga15s28 thing that I don't know what it is. It doesn't go away when I close firefox. and minea11mine something on the -p tcp thing. Quoting: Sandi_T Copy the output and paste it here. Right click on the command prompt and click "Mark" highlight all the text on the screen, the go to the top left on the blue bar and right click, select edit and copy then paste it here. For some reason ctrl-c will not copy correctly.
Sandi_T User ID: 15828781 United States 07/08/2012 11:25 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. TCP mine11mine:#### 1ga##s##-in-f7.1e###.net:http TIME_WAIT 0 That's what one looks like (with some missing numbers, but you get the idea). No more requests in the "Strangest things" thread please. :hf: Past Lives requests thread: Thread: That Which Once Was: Past Lives
Nostril Domus (OP) User ID: 9357516 United States 07/08/2012 11:27 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. TCP mine11mine:#### 1ga##s##-in-f7.1e###.net:http TIME_WAIT 0 That's what one looks like (with some missing numbers, but you get the idea). Quoting: Sandi_T I belieive your safe. Run combo fix and malwarebytes if you havent already. Both are free.
Sandi_T User ID: 15828781 United States 07/08/2012 11:28 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. C:\Documents and Settings\Admin>netstat -b Active Connections Proto Local Address Foreign Address State PID TCP mineallmine:1316 www-slb-10-02-ash3.facebook.com:http TIME_WAIT 0 TCP mineallmine:1319 lga15s28-in-f8.1e100.net:https TIME_WAIT 0 TCP mineallmine:1332 a23-48-127-144.deploy.akamaitechnologies.com:htt p TIME_WAIT 0 TCP mineallmine:1356 r-199-59-150-43.twttr.com:http TIME_WAIT 0 TCP mineallmine:1357 a23-48-127-144.deploy.akamaitechnologies.com:htt p TIME_WAIT 0 C:\Documents and Settings\Admin>netstat -p Active Connections Proto Local Address Foreign Address State C:\Documents and Settings\Admin>netstat -p tcp Active Connections Proto Local Address Foreign Address State TCP mineallmine:1316 www-slb-10-02-ash3.facebook.com:http TIME_WAIT TCP mineallmine:1319 lga15s28-in-f8.1e100.net:https TIME_WAIT TCP mineallmine:1332 a23-48-127-144.deploy.akamaitechnologies.com:htt p TIME_WAIT TCP mineallmine:1356 r-199-59-150-43.twttr.com:http TIME_WAIT TCP mineallmine:1357 a23-48-127-144.deploy.akamaitechnologies.com:htt p TIME_WAIT C:\Documents and Settings\Admin> No more requests in the "Strangest things" thread please. :hf: Past Lives requests thread: Thread: That Which Once Was: Past Lives
Sandi_T User ID: 15828781 United States 07/08/2012 11:29 PM Report Abusive Post Report Copyright Violation	Re: WARNINGDNSchanger sounds fishy!! Here are a few tricks to check for infection. I dunno why twitter or facebook are on there, I don't use either. No more requests in the "Strangest things" thread please. :hf: Past Lives requests thread: Thread: That Which Once Was: Past Lives
Page 1 2 Top Previous Page Next Page

Join Now, Free! (& No Ads!) Forgot Your Password?
Email	Password	Remember

Rate this Thread

WARNING****DNSchanger sounds fishy!! Here are a few tricks to check for infection.