Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect (DNS)


  • This topic is locked This topic is locked
12 replies to this topic

#1 SanAequitas

SanAequitas

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 28 May 2011 - 04:03 PM

Mkay, well I've got a couple siblings that really managed to mess up their computers. Essentially, browsers all redirect to a splash page that says (website name changes based on what website you try to go to)

http://postimage.org/image/v10abj8/

In addition, any program that tries to access internet gives an error saying it is not available. However, Java is still showing new updates, and I can connect/disconnect easily in Network Connections. Under ipconfig, DNS Servers is set to 188.229.88.7?


We have Verizon FiOs, with the Actiontec MI-424 WR Rev D, running firmware version 4.0.16.1.56.0.10.14.4 On the system, I've got a desktop hardwired (Had "XP Total Security" infection, took care of that), and a hp printer. On the wireless, we've got a good 4 laptops, and a couple phones that are occasionally on the wifi. Currently, the desktop, my laptop, and my phone are fine. Two of the laptops have this issue, and another one had this issue, the update was clicked on, and now cant boot into windows. I have a bootable Ubuntu usb drive, and once in that, Firefox is still having the same internet block.!?



So far, I have attempted the following:

== Command Prompt as Admin:
netsh int ip reset c:\resetlog.txt
ipconfig /flushdns
netsh winsock reset

== Malwarebytes Anti-Malware
Updated definitions on my computer, then copied rules.ref over to the infected computer. Scan came up clean.

== CCleaner/ATF Cleaner
cleans up computer, not really malware/spyware but I usually do this when I'm cleaning anyway.

== tdsskiller, gooredfix both came up with nothing.

== The only thing that kind of works (allows Firefox to access internet) is to manually set up a proxy. Allows a browser to browse the web, but Malwarebytes was still unable to update.



=!=! I have NOT tried/run:
- ComboFix
- SuperAntiSpyware
- HiJackThis
- MGTools
- Spyware-Doctor (used this to fix desktop XP Security infection)




For the other computer, who actually 'updated' his browser:
His computer can't boot, it hits the Repair Console (simple boot-up one) and then resets, does it again, etc.. Going through some of the other auto-recovery thing it ran, It said that a boot-critical file was corrupted, c:\\CI.dll I have a Kaspersky USB Rescue Disk 10 http://support.kaspersky.com/faq/?qid=208282163 that I've run on it, but so far it hasn't really found any issues, though I think on the longer scans for some reason the CPU is hitting critical heat (88 degrees) and so the system shuts down (according to one line I managed to catch in the Kaspersky scans) I was able to use the bootable Ubuntu usb, which works just fine (heven't done any scan/troubleshooting yet) but its firefox is having the same issues as the other computers.

BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:11 PM

Posted 28 May 2011 - 04:19 PM

Try doing this;

Please go to Start > Control Panel > Network Connections
Select your Local Network.
Click Properties, then select Internet Protocol (TCP/IP).
Click Properties.

You will see a window titled Internet Protocol (TCP/IP) Properties.

Click on Use the following DNS server addresses:
Preferred DNS server: 8.8.8.8
Alternate DNS server: 8.8.4.4

Click OK.



NEXT:



Flush DNS
  • Now go to Start > Run > type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between ..g /f it needs to be there)
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.


Reboot your computer and see how things are working after doing the above.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 SanAequitas

SanAequitas
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 28 May 2011 - 05:02 PM

All right, that seems to be working on my sister's computer (hers is the main one I've been experimenting on), but I'll have to wait till my brother's back with his password to verify it working on his.

However, this more seems like a bypass around the problem, not really a true fix?

#4 SanAequitas

SanAequitas
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 29 May 2011 - 12:02 AM

Hmm.. This is awesome. I haven't done any browsing on my computer since I last posted here. I locked my computer, left for work, only things open was Firefox with this thread in a window by itself, and a p2p program, eMule. Get back from work, log in, and first thing I do is refresh this thread, by pressing f5. Now mine had the internet block. Ran through the quick GoogleDNS bypass, but given that my computer wasn't doing anything actively, it seems like the router is infected or one of the other computers' infection is running through the router..?

#5 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:11 PM

Posted 29 May 2011 - 09:56 AM

Yeah, sounds like something wacky maybe going on with the router.

Router Reset
  • Please read this: Malware Silently Alters Wireless Router Settings

  • Consult this link to find out what is the default username and password of your router and note down them: Route Passwords

  • Then rest your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 30 seconds)"


  • This is the difficult part.
    First get to the routers server. To do that type http:\\192.168.1.1 in the address bar and click Enter. You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.

  • Please make sure of the following settings:
  • Go to Start -> Control Panel -> Double click on Network Connections.
  • Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
  • Select the General tab.
  • Double click on Internet Protocol (TCP/IP).
  • Under General tab:
  • Select "Obtain an IP address automatically".
  • Select "Obtain DNS server address automatically".

[*]Click OK twice to save the settings.
[*]Reboot if you had to change any setting.[/list][/list]

NEXT:



Flush the DNS cache
  • Click the Start logo in the bottom left corner of the screen
  • Click on Run
  • In the command window copy/paste the following
ipconfig /flushdns
  • then hit enter
  • Exit the command window.

After that, Reboot

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#6 chiles

chiles

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 31 May 2011 - 10:41 AM

It's Not the router.


Edit: Apparently you can just look for the DHCP server entry when you run the command ipconfig /all in the command prompt Download the Rogue DHCP Server detection tool from Microsoft's technet http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx


One of the computers on your network is infected and creating a fake DHCP server giving out bad DNS info.

It appears no one has found a permanent fix just yet.

Edited by chiles, 31 May 2011 - 02:21 PM.


#7 splntz

splntz

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 31 May 2011 - 05:53 PM

Our company was hit with this. I have found that most computers are just affected not infected. Most of the computers that are actually infected (became the dhcp servers) are people who are smart enough not to click on weird links or surf the web. We have been able to catch the rootkit on peoples computers using trend micro's rootkit buster as well as one machine with zone alarm to see what computers it tries to connect to when releasing and renewing the ip address. I'm running out of ideas here. I've been at this all day and have no clue if i'm actually fixing the real issue or if this thing will just infect more pc's.

I'll check back later.

#8 MrsDW09

MrsDW09

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 10 June 2011 - 10:16 PM

I am a Verizon DSL (now Frontier actually) customer, and have had this same issue now for three days. Opera browser is the only browser I can use at this point, and this whatever it is has taken over all 4 systems in my home. It almost seems to migrate from one to the other. None ore networked though, we only use the same modem ( 2 hardwired 2 wireless)
We have the same fake firefox screen warning, even on IE!! Browsers are redirecting, and AVG & Malwarebytes are blocking the ip 188.229.88.7 as a threat trying to access. AVG Online Sheil Alert is saying:
Online Shield findings
Infection;"Object";"Result";"Detection time";"Object Type";"Process"
Trojan horse Generic22.BKXF;"188.229.88.7/X";"Object was blocked";"6/10/2011, 9:56:49 PM";"file";"C:\WINDOWS\system32\svchost.exe"

However, all scans come up clean, everything from Advanced System Care, AVG, Malwarebytes, and every other scanner I could find during the 15 minutes of internet access this bug let me have this morning.
Scanners cant update, pages get the fake Firefox splash screen (blacklist_favicon) even in IE, all browsers, even Chrome are redirecting.
Computers reboot themselves.
Here is my Hijack This scan. I will try to get one the next time the BUG flares up as it seems to take a break now and then, allowing me some time to do a few things.

Log removed as such are not analyzed in this forum, and given the passage of time is no longer relevant to current computer situation so moving this post makes no sense. ~ OB

This bug survived a complete re-imaging. Wiped it factory-fresh, opened IE, and WHAMMMO! FireFox fake warning screen with claiming the browser version is not supported and offering the update.exe file button. Im guessing this thing does not live on a computer, but just flows through it, and through the net signal somehow....is it possible this is a Verizon hackjob? whatever it is, I am about at my wits end and can not deal with it much more. So frustrated. Guess that info doesnt help solve it though lol.
Oh, I called Verizon yesterday and got told it was not possible for a virus to be going around the house like this. Called back today, and was told a verizon field service person would be here today between 9am and 5pm, but no one showed up. I will be calling back in the AM...although it is Saturday, so who knows. :angry:

Edited by Orange Blossom, 22 June 2011 - 01:43 PM.


#9 jmhooten

jmhooten

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 21 June 2011 - 02:56 PM

We had the same issue on our network, one of our machines was infected and became a zombie DNS server redirecting to the russians. I managed to find the culprit and get it off the network. On the machines that were redirected I did the following.

Switched
Preferred DNS server: 8.8.8.8
Alternate DNS server: 8.8.4.4

ipconfig /flushdns

reboot...

But when I change it back to "automatically configure DNS" it keeps reverting to the russians (the 188.xx.xx.xx DNS server). While it now uses the proper DHCP server (my domain server) I can't seem to get it to forget this DNS server no matter what I do. Any help?

Edited by jmhooten, 21 June 2011 - 04:17 PM.


#10 jenn3

jenn3

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 22 June 2011 - 07:39 AM

Just want to say thank you to sweet tech...3 of my 4 computers would not let me access the internet..i had the red box with the policeman pop up saying something like update your browser, etc...and i followed your instructions and my dns server was 188.229.887 and i noticed on the only good working computer that one had a different dns server..i put the 8.8.8.8 with alternate 8.8.4.4 and followed your instructions and i am back online. I am going to try it on the 2 other compromised computers. Thank you for your help. Is there anything else i need to do? Is this permanently fixed? Also, one of the other computer my daughter things she pressed the update button will this make a difference on fixing the computer?

#11 MrsDW09

MrsDW09

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 22 June 2011 - 08:54 AM

Changing to 8.8.8.8 does not help, as it reverts back asap...we, however, found the fix at http://support.kaspersky.com/faq/?qid=208283363. Since running this on ALL the computers in the house, methodically going through the house, leaving each computer offline once fixed until all other computers are fixed. We have not had one issue since this fix.

#12 jenn3

jenn3

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 22 June 2011 - 12:51 PM

I clicked that link and it brought me to a search box

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,851 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:11 PM

Posted 22 June 2011 - 01:47 PM

As this topic has been hijacked by several members and the original poster has not been back since May 29, I am closing this topic to avoid further confusion. If any of you need assistance with your computer issues, please create YOUR OWN topic. While symptoms may be similar, the causes and the solutions can be vastly different especially in the area of malware removal. Following advice meant for someone else can cause in worst case cause an unbootable computer.

This topic is now closed.

Orange Blossom ~ forum moderator
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users