Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNS Hijacking


  • This topic is locked This topic is locked
4 replies to this topic

#1 gmb

gmb

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:31 AM

Posted 15 January 2009 - 07:11 PM

I have a laptop running XP-Pro Ser Pk 3 with all the latest updates. The system is running AVG 8 with all the latest updates.

The machine was infected with some sort of malware that I never completely identified (could be a Trojan of the “Google redirect” type) . I deleted some bogus dll files that were created at the time of the infection. There doesn't SEEM to be any virus activity going on, but it appears that the TCP stack/DNS service has been corrupted and I cannot get it back to normal.

I tried using Spyware Dr, malwarebytes, and combo-fix. None of these tools will run. They all have an issue with updating. I tried HiJackThis and scans from AVG. The HJT log had a couple of bad entries that I cleaned out.

When I do a ping test I get interesting results. Most any site will respond back from the DNS servers with the correct address. But any security type site reports back a "Could Not find" type answer and the site referenced is the localhost 127.0.0.1. Only security type sites seem to fail. I used a clean machine to ping AVG. I can then type the returned address in the address bar of the infected machine and reach AVG that way.

I have tried WinSock fix, fix lsp, msconfig, HJT, CC cleaner, malwarebytes, combofix, Spyware Dr. I have been in the registry and deleted all of the old WinSock keys. I have removed and reinstalled the TCP stack. I have run the TCP repair commands via the command line using netsh. I deleted the host file in \system32\drivers\etc. I tried to add sites like AVG, Symantec and McAfee into a fresh host file. Still "page cannot be displayed". Yet Google, Yahoo, MSN all come in correctly. They are fresh pages because I have cleared all temp files and history files. I deleted all cookies. I can do searches in Yahoo and Google. I have been connecting to the machine via LogMeIn without any problems at all. So I know the basic TCP is working the problem is in the DNS service.

I have tried restarting the system in Safe mode and Safe Mode with networking. Nothing seems to change the problem. I have tried both MSIE 7 and FireFox3. I believe they all use the same TCP stack. I really don't think this is a browser issue. The problem centers on the DNS being hijacked.

I have taken the system off auto configure. I have hard coded both a TCP address and the dns entries. This is on a home network so there isn't any WINS information. I have used dns servers from both Cox communications and Verizon.

I have tried to use system restore. I cannot create or roll back. The system restore will open but there are no restore points and you get an error when you try to create one. Yet looking at the computer properties Restore claims to be on and working. There is no check mark in the box to turn restore off.

Right now the laptop is in California. I live in Las Vegas. The laptop is being shipped here. I wanted to start the wheels turning to see if anyone with a high level of dns experience might see this posting.

I am sorry this is so lengthy but the "how to post" recommended listing all the things done to the system.
Thanks for your help,
gb

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:31 AM

Posted 15 January 2009 - 10:58 PM

I would say to run SmitfraudFix and see if it spots a DNS hijacker.
This is Part 1
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 gmb

gmb
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:31 AM

Posted 18 January 2009 - 03:40 PM

Thanks for the lead.

I tried to run the file but I got a message "Smithfraudfix.exe has encountered a problem and needs to close................"

I know the simple answer is to reformat and start over but I am just interested in trying to find an answer.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:31 AM

Posted 18 January 2009 - 04:39 PM

There is something deeper in here. Rather than run more tools here,I suggest you post an HJT log and have them dig it out.
Follow this guide. If you can not complete something move on till you get to creating the log. Place the complete log in the second link.

Preparation Guide For Use Before Using Hijackthis

HijackThis Logs and Virus/Trojan/Spyware/Malware Removal
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:31 AM

Posted 19 January 2009 - 12:32 PM

Hi I moved your log to it's proer location

HERE.. http://www.bleepingcomputer.com/forums/top...ml#entry1099483

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Post in this thread when you haven't received an answer in five days.".

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users