Dns cache may be hijacked ?

I have a system with an intermittent problem.  It had been infected with Blazefind and  Virtual bouncer Malware, but I removed them.

The current symptom is that when I attempt to got to certain sites (*.google.com, *.microsoft.com, yahoo, and a couple of others) the result is a page which looks like a "cant find site" name problem page, but all the link lead to the findwhat search engine for credit-cards, online-casinos etc.

Obviously this is a hijacked system.  The effect is intermittent, and sometimes lets me google after a reboot.  I notice the sites that it hangs on seem to be ones that I would go to to look for how to remove it :(

Here is the kicker.  It is not just an IE problem.  I istalled Mozilla and it's little brother Firefox and they are also affected, so I have to assume that somthing has gotten to the network layered service provider stacks.

I can find a couple of people who are also searching for this solution, but no real answers.   I have several AV and Spyware detection programs take a look, but nothing so far.  System is Win 2k SP#, and I dont want to apply SP4 until I can fix it.

This is a royal pain to fix, since it is the bosses Home machine, so I dont have ready access to the machine to provide tons of HiJack this type logs quickly, but may be able to trickle them thru.
Who is Participating?
SheharyaarSaahilConnect With a Mentor Commented:
Hello rdegroup =)

hmmmmm so have u yet tried checking ur Hosts file in c:\winnt\system32\drivers\etc\hosts
that if it contains the unwated entries,,, i mean just make sure :)

ofcourse as u said u are not able to use and post the logs files..... but giving u lots of spyware removal tools and asking to run them is useless, as u have already cleaned ur system lots on ur own, so u dont need them, do u :)

if u cannot post here those long logs, then what u can do is to post them here >> http://www.hijackthis.de/index.php?langselect=english

this sit ecan automatically analyse it for u, and can tell what are BAD things running on ur system... so u can work with them on ur own rather than posting them here and waiting for someone to analyse them for u, right :)
u can get the latest hijackthis version from here >> http://tools.radiosplace.com/HijackThis.exe

Post Back and Good Luck :)
knoxj81Connect With a Mentor Commented:
First check your HOST file. Default host file will look like this:

# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#     rhino.acme.com          # source server
#     x.acme.com              # x client host       localhost

____________ E N D____________

Also try Flushing your DNS.


now that your in command prompt type:  ipconfig /flushdns

Let me know,

rdegroupAuthor Commented:
Folks, thanks for the feedback and speedy at that.  I know th\e host files is fine, since I checked it carefully as an old Unix Networking guy would.  

I should have RTFM on ipconfig to find the flush command, but will take a look and see whether I can get it to help.

as for the HJT log, I need to go back and get that, as I only have th eprintout handy and I am sure you do not want a PDF scan of that !

more to come ...
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

>> and I am sure you do not want a PDF scan of that !

lol.... no not at all... u can take ur time to work on it personally :)
Good Luck =)
rdegroupAuthor Commented:

I have resolution.  The parasite in question managed somehow to insert it's own IP address into the top of the DNS list for the network adapter.  Hence all name queries were redirected to that para-site whenever I went looking for some site that might help me diagnose.

The Offending DNS entry was for the record - and any future searchers.

I am going to split the points as you both helped my creative juices even if the solution was way over in left field.

Hope that is OK with you guys.

no problem at all... glad u got it resolved :)
Cheers ^_^
rdegroupAuthor Commented:
The split does not look so good as I can oly assign one person as the accepted answer.  Sorry but you did help and I hope that is OK
cool thanks man. I can't seem to pull up anything on that IP.

Anyone find anything?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.