Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dns poisioning? Not sure


  • Please log in to reply
28 replies to this topic

#1 raylward102

raylward102

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 28 March 2014 - 11:38 AM

I've two pc's on the network; 1 is windows7, the other XP. The network aslo has a couple of wifi clients (phones and laptops)

Anyways; I've had it a couple times now, where the home page (google.ca) loads to an adobe update page that insists on having me download an exe for update. This page url is showing Google

I've scoured the pc and could not find anything; same with results with pcs2(xp).

I did solve this by ipconfig /flushdns on both pc's and rebooting the router.

Everything works again?

Then a couple of days later, this problem returns.

Is my dns being poisioned, and how? Any Idea's. I'm pretty certain there are no viruses on both of the systems I'm using, and the router is locked down with passwords.

 

Anyone seen this before?


Edited by hamluis, 28 March 2014 - 05:04 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Roodo

Roodo

  • Members
  • 760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 PM

Posted 28 March 2014 - 11:54 AM

Seems like a malware is on your system(s)



#3 raylward102

raylward102
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 28 March 2014 - 12:10 PM

Ya; thought that to, but both systems correct easily by flushh dns.

Ran malwarebytes with no findings and am usually pretty good with indentifying crap processes and removal. I've reset browsers to default; cleared caches, and ran virsu scans via safe mode.
Out of options.



#4 Roodo

Roodo

  • Members
  • 760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 PM

Posted 28 March 2014 - 12:44 PM

Probably a rootkit. Also check your connection and see if a proxy is running. Like you stated it returned. So its homepage redirect.



#5 ITGeekGirl

ITGeekGirl

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:12:19 AM

Posted 28 March 2014 - 12:56 PM

I remember there being a post about it having to do with your router. 

 

http://www.bleepingcomputer.com/forums/t/447651/fake-adobe-flash-player-installer-and-redirect-virus/page-3

 

http://www.bleepingcomputer.com/forums/t/526443/more-hacked-routers-brand/



#6 jonuk76

jonuk76

  • Members
  • 2,157 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:06:19 AM

Posted 28 March 2014 - 01:25 PM

Yes, one similar was in the Linux forum the other day too.  http://www.bleepingcomputer.com/forums/t/528847/google-search-results-redirected-to-fake-flash-player-update-links-ubuntu/

 

I would recommend:

 

Updating the firmware on your router (if one is available)

Change the router admin password to something strong, at the very least change it from default

Turn off any remote management option (may be called something like "allow configuration from WAN", allow remote management, that type of thing)

Make sure that WPA or better security is enabled on the wireless part, if you have it (WPA2 is best) with a strong password

Enable the router firewall.


Edited by jonuk76, 28 March 2014 - 01:29 PM.

7sbvuf-6.png


#7 raylward102

raylward102
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 28 March 2014 - 01:34 PM

no proxy set in inetcpl.cpl; host files checked.

Double checked the router configuration:

Cisco E1200: firmware: 1.0.00

passworded securley, upnp now disabled, and all internet filters applied.


Edited by raylward102, 28 March 2014 - 01:36 PM.


#8 raylward102

raylward102
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 28 March 2014 - 02:24 PM

Funny thing I've noticed; even though my hompegae comes up fine for now; If I type in the web address bar http://yahoo.com, I recieve that annoying fake adobe update page....so the problem still exists.

Later on (day or two later), opening my browsers default homepage http://google.ca will be answered with this adobe fake page.

I'm not sure if this is external dns (a router problem) or internally manipulated dns (my system infected)



#9 Roodo

Roodo

  • Members
  • 760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 PM

Posted 28 March 2014 - 03:49 PM

Run this and tell me what happens (you need to check all the computers on that network.

http://www.bleepingcomputer.com/download/tdsskiller/



#10 technonymous

technonymous

  • Members
  • 2,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 PM

Posted 29 March 2014 - 07:30 AM

Go to adobe website and see if they are truly pushing a update. The browser uses flash a lot so it probably is a legit update.



#11 ITGeekGirl

ITGeekGirl

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:12:19 AM

Posted 01 April 2014 - 08:22 AM

Go to adobe website and see if they are truly pushing a update. The browser uses flash a lot so it probably is a legit update.

 

Every time you open up a browser or browser tab? Not likely. Adobe is annoying - but not this aggressive. 

 

Seriously - I posted a warning about the adobe thing in my office yesterday. It's likely your router needs it's firmware updated. I just helped one of the ladies in the office with fixing hers. She does a lot of work from home and has been struggling with this exact same problem. 



#12 Alchemist

Alchemist

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 01 April 2014 - 08:23 PM

I've got this problem, just today. Windows 7 64 system. Every time I try to go to www.google.com I get redirected to a fake flash player update page. Already installed and ran latest Malwarebytes anti-malware tool and TDSKiller direct from Kaspersky Labs. Nothing found. But it won't go away. Both IE and Seamonkey are affected. Looking at my system logs, I see a long string of errors over the last few days. Weird errors. MS Security Essentials keeps stopping due to "hardware error".
 
Session "Microsoft Security Client OOBE" stopped due to the following error: 0xC000000D
 
Yes, my DSL router had also been hacked and the DNS servers changed. I changed them back, though of course until the security problem is fixed they can just change it again. Even when I look and see that the DNS servers are still set right, the problem continues.

One more update before I give up for the night. Using https works. I can reach www.google.com that way. Is that a sign of something along the route intercepting? Or can redirect viruses be fooled that way?

Edited by Alchemist, 01 April 2014 - 09:31 PM.


#13 technonymous

technonymous

  • Members
  • 2,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 PM

Posted 02 April 2014 - 01:53 AM

Usually a browser redirection is done at the browser and yes is a malware, virus etc garbage. If it's being done at the router then someone has compromised the router, generally someone in the vicinity of the routers location. It could also be that a provider is doing work on the network and is using different server. What is the IP of the DNS servers in the router? As far as https yes that will help protect you of any middleman attacks. What sites are you being sent to?


Edited by technonymous, 02 April 2014 - 01:54 AM.


#14 Alchemist

Alchemist

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 02 April 2014 - 09:51 AM

The site is whatever I tried to reach. It doesn't say what the actual source of the scam page is. I've run all sorts of scanners and can't find anything. Next I guess I'll try completely removing and reinstalling the browser. If that doesn't work I hate to think of having to completely reinstall Windows just to remove some stoopid browser redirect.

 

The DNS server WAS reset to 173.234.241.50 but I changed it back to my local ISP server. For some reason it had also set Google's DNS as the second server. I guess to catch anything their scam site didn't have?



#15 ITGeekGirl

ITGeekGirl

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:12:19 AM

Posted 02 April 2014 - 11:05 AM

Follow the directions of MrBruce in post #5 of this thread.

 

http://www.bleepingcomputer.com/forums/t/526443/more-hacked-routers-brand/






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users