Fake DHCP

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by kc61q, Sep 2, 2011.

  1. kc61q

    kc61q Private E-2

    Hello,

    I'm a longtime reader of this forum and have nearly always found answers to malware issues. Thank you for your help in the past. This is the first time I have had to post directly to solve an issue.

    I have recently had network/internet connectivity issues in our office network. Investigation traced the problem to three PCs on the network that were infected with malware that caused them to send out fake DHCP configurations pointing to a known malware DNS server in Romania.

    I have been trying to clean up the first of these three infected PCs, but have not had much luck. Yesterday, I ran MBRChecker, TDSSKiller, and Antimalwarebytes. This morning, I ran SuperAntiSpyware, RootRepeal, and MGTools. Most found issues (all logs are posted below), but the PC continues to send out fake DHCP information.

    Please note that I was unable to run ComboFix. It continually freezes after saying it is starting to scan file, but before is changes the clock format.

    Thanks so much for your help!
     

    Attached Files:

    kc61q, Sep 2, 2011
    #1
  2. kc61q

    kc61q Private E-2

    Additional logs.
     

    Attached Files:

    kc61q, Sep 2, 2011
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Both MBRcheck and TDSSkiller show that you most likely have an infected Master Boot Record ( MBR ) which needs to be fixed. First a couple questions.
    1. Do you have all important data backed up? While most of the time, repairing the MBR works without any problems, there is still the risk that there could be a problem due to how malware has hooked into the operating system of your PC. So it is prudent to be backed up first.
    2. Do you have your Windows XP boot CD so that we can use it to boot to the Recovery Console to repair your MBR?
     
    chaslang, Sep 2, 2011
    #3
  4. kc61q

    kc61q Private E-2

    1. Working on backing up data files now.....

    2. Don't have an XP boot disk. The PC is an IBM/Lenovo desktop that comes with an "IBM Rescue and Recovery" CD.

    Also, since the install of ComboFix, I now have an option to boot directly to Windows Recovery Console.

    Thanks........
     
    kc61q, Sep 6, 2011
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This may have a possible use but I have never used one. It seems to have many options, however I'm not sure it would fix the MBR or even detect it to be a problem. Information about this type of disk is here >> http://www.pc.ibm.com/us/think/thinkvantagetech/rescuerecovery.html

    But it really may be of little use unless you have been making regular backups before the infection occurred.


    These type of MBR infections will not be repaired using the installed version of the Recovery Console because you are booting up from the infected hard disk.


    A possible solution is that you could see what was posted in message # 12 of the below thread and see if you can get this CD to run.

    whistler/black internet@mbr again!
     
    chaslang, Sep 7, 2011
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds