Jump to content

epoclick DNSchanger infection


Dr.Rick
 Share

Recommended Posts

Hi,

My Win XP Home laptop picked up an infection. A lot of people seem to be getting it lately. My system:

Win XP Home SP3 on a Dell XPS laptop

Netgear WGR614 v7 router

Symptoms:

* occassional new windows open up with 'epoclick' in the URL and the page is blank

* unable to go to many disinfection sites, including Windows update and malwarebytes

* running at the command prompt >ipconfig /all shows that the DNS addresses have been commandeered, and are in the Ukraine (!) and show up on googling as known malware sites

How infected?

* I believe it happened when this machine was simultaneously logged into my router when another infected computer was also logged in to the same router. Happened in October '10.

What I've done:

* ran my McAfee Antivirus (enterprise version) in on-demand mode and scanned entire computer and HDD and it found nothing

* changed my DNS addresses manually (yeah, I am guilty of never having changed my router login/pw to something unique for me. No doubt that's how it got me) but they just went right back to being the Ukraine evil DNS servers

So I then...

* disconnected from the internet, did a hard reset of router (pin in the hole), logged into the router using a known clean machine - a Macbook Pro - and manually forced the router to use the OpenDNS servers rather than "get from IP" as it had been.

* I continue to access the web via my macbook pro which continues to show no evidence of infection (but, would i really know??)

* I continue to check periodically what the macbook is using for DNS addresses and they remain the proper OpenDNS servers, so that's good. No epoclick pages have every come up, and it's been several weeks now.

* I once plugged my infected laptop back into the router using an ethernet cable, but it was not able to get online. I do not want to tell that computer what my new router login/pw is for fear I'll be right back to square one.

* I continue to keep my infected computer quarantined - no connection to the internet. While I still could, I was able to download combofix and a few other packages that were recommended on the net, but have not tried using them yet.

Before trying to disinfect this machine, I have more urgent questions:

1. Can I connect a (different) clean Windows laptop PC to this router and be confident it won't be re-infected by the router itself (Keeping, of course, other infected computers from being on the router)? In other words, do these DNSchangers actually infect the firmware inside the router so that a clean computer merely by being connected to it, will download the infection?

2. Same question but for my DSL router upstream of the Netgear router - is it infected in some way too?

A friend who works in computer networking thinks its very unlikely the router itself is infected; and it's more likely that the router is sending a safe DNS address to the computer, but the computer virus is overwriting it when it sends the packets back out, and therefore it's safe to connect a clean laptop to my router. I need to get my life back before beginning the perhaps long process of disinfecting this laptop. Others online think that these new nasty bugs are so dangerous that only a complete reformat of the HDD will insure disinfection. I hope not, but I do have (outdated, sigh) backups for most things.

Thanks for this great service. By tomorrow Dec 2 I should be able to begin the process of disinfection, but for now I just want to know if I can get work done on a clean machine but still at home with my router.

Rick

Link to post
Share on other sites

Hello ,

And :D My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.

  • extract RKUnhooker to your desktop
    • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
      you can get a free one from here -
    http://www.7-zip.org/

  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

Hello ,

And :D My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.

  • extract RKUnhooker to your desktop
    • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
      you can get a free one from here -
    http://www.7-zip.org/

  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Thank you Elise,

First, before I attempt to reconnect this computer to the internet (I'm talking to you now with a Macbook which is clean), I need to know something about routers. Is it safe to connect a clean Windows machine to my router, after I reset it and insured it (currently) has the OpenDNS servers rather than the malware Ukrainian DNS addresses? It's really a question about the nature of routers, more than the specifics of my computer and it's malware. I need to be able to resume work at with a Windows machine from home, where this malware is happening, and I am not comfortable with connecting any windows machine to the router and risk spreading the disease to another computer. So my first, urgent questions are...

Before trying to disinfect this machine, I have more urgent questions:

1. Can I connect a (different) clean Windows laptop PC to this router and be confident it won't be re-infected by the router itself (Keeping, of course, other infected computers from being on the router)? In other words, do these DNSchangers actually infect the firmware inside the router so that a clean computer merely by being connected to it, will download the infection?

2. Same question but for my DSL router upstream of the Netgear router - is it infected in some way too?

Link to post
Share on other sites

Usually a router will not directly infect your computer. However, the DNS (I assume you are referring to ProLite, IP address 213........) will redirect your searches. The simplest solution is to reset the router and then change the admin password.

Using OpenDNS is also effectively, however to be safe I recommend a reset (ProLite DNS router hijacks are quite persistent and usually it is best to find an online manual for your router with detailed instructions on how to do a reset).

Link to post
Share on other sites

Hi Elise,

I was ONLY able to enter the OpenDNS addresses by disconnecting all computers, doing a reset (using a pin to press the recessed button on the Netgear router), then using a MacBook Pro to access the router and tell it to use the OpenDNS addresses for its DNS servers. So my concern is that when I reconnect my infected computer to the router, it will require me to tell it the new router login/password in order to connect to the internet, and thereby commandeer the router again and I'll be right back to square 1, meaning, I won't be able to access many of the antivirus websites and programs I see recommended for similar malware problems. That was my experience when I last tried to reconnect it, using an ethernet cable (my usual method; it's faster than wireless). It wouldn't connect to the internet. This is strange, since I'm used to being able to get on the internet with any laptop by just plugging in a live ethernet cable (e.g. at various places where I work), w/o any passwords etc. I suspect it's the malware which is trying to force me to tell it the new login/pw so it can take over my router once again.

Should I instead download the programs recommended on a clean machine somewhere else, onto a flash drive, and then uploading to the infected computer? (but then, do these viruses spread via flash drive?).

Link to post
Share on other sites

You can transfer the tools with a flashdrive or CD, but the router hijack did not come from within your PC, rather from the outside.

Typically these hijackers attempt to access the router settings by using the default username/password combination. So, as long as that combination is changed, you ought to be good.

Link to post
Share on other sites

I connected the infected laptop by ethernet to my router and was able to get on the internet (apparently it was just a loose cable that prevented internet access, not the virus, at least via etherenet). However, when I do ipconfig /all it shows the evil DNS servers in the Ukraine as my primary and backup. And again, I'm not able to access crucial sites, including windows update or malwarebytes.

I'm talking to you now on my (still clean I think) macbook pro connected to the same router. When I query with the 'apple' | preferences |network | advanced clicks, I still see the OpenDNS servers as listed, so that's encouraging. I suppose that means that the router's sending the computers the right DNS and it's only the diseased computer that's substituting in the bad DNS's.

What should I do now?

thanks

Rick

Link to post
Share on other sites

Hi Elise,

The spec sheet is here....

http://www.netgear.com/products/home/wirel...WGR614.aspx#two

It's "version 7" of this model. Shortly after the infection in October, I reset the router by pushing the reset button, then accessed the router with the macbook Pro by using the router's URL and reset the login and password to be something other than the default values. It was my oversight of leaving the default values when I bought it years ago that no doubt led to the infection in the first place. I also made sure to use WPA2-PSK for security, which I understand is much safer than WEP.

Link to post
Share on other sites

However, when I do ipconfig /all it shows the evil DNS servers in the Ukraine as my primary and backup. And again, I'm not able to access crucial sites, including windows update or malwarebytes.
Is this still the case? If so, your router is still infected and thus needs to be reset.
Link to post
Share on other sites

Wait. I thought we decided that the router itself was not infected, only the computer was. The router was reset already. I'm sure if I tried connecting the infected laptop to the router via wireless, I'd have to tell the infected computer the new login/pw that I set via my macbook, and I don't want to do this. So I am connecting the infected computer via ethernet cable, which is not configured to require login/pw to access the web. Now, when I ask the equivalent of >ipconfig /all on my macbook, it gives me the proper DNS addresses and settings which I gave the router (i.e. it sees the OpenDNS servers). From that, I understood the router itself is fine and it's only the laptop which is infected, and I only risk having the laptop change the router settings if I tell the laptop the new secret login/pw for the router.

Link to post
Share on other sites

In that case, post me the logs from your infected computer as instructed. Do first the following:

Please right click on your Internet Connection icon in the System Tray and select Status. In the Status window click the Options button.

Look under "this connection uses the following items" and highlight Internet Protocol (TCP/IP). Click Properties.

On the General tab, make sure "Obtain an IP address automatically" and "Obtain DNS server address automatically" are both ticked.

On the Alternate Configuration tab, make sure "Automatic private IP address" is ticked.

Click OK to exit the Properties and OK to exit the other windows as well.

Now, click Start > Run and type cmd in the runbox.

A command window will open. Type ipconfig /flushdns and press enter.

Link to post
Share on other sites

  • 3 weeks later...
  • 1 month later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.