Solved

Dns cache may be hijacked ?

Posted on 2004-09-14
8
186 Views
Last Modified: 2010-04-11
I have a system with an intermittent problem.  It had been infected with Blazefind and  Virtual bouncer Malware, but I removed them.

The current symptom is that when I attempt to got to certain sites (*.google.com, *.microsoft.com, yahoo, and a couple of others) the result is a page which looks like a "cant find site" name problem page, but all the link lead to the findwhat search engine for credit-cards, online-casinos etc.

Obviously this is a hijacked system.  The effect is intermittent, and sometimes lets me google after a reboot.  I notice the sites that it hangs on seem to be ones that I would go to to look for how to remove it :(

Here is the kicker.  It is not just an IE problem.  I istalled Mozilla and it's little brother Firefox and they are also affected, so I have to assume that somthing has gotten to the network layered service provider stacks.

I can find a couple of people who are also searching for this solution, but no real answers.   I have several AV and Spyware detection programs take a look, but nothing so far.  System is Win 2k SP#, and I dont want to apply SP4 until I can fix it.

This is a royal pain to fix, since it is the bosses Home machine, so I dont have ready access to the machine to provide tons of HiJack this type logs quickly, but may be able to trickle them thru.
0
Comment
Question by:rdegroup
  • 3
  • 3
  • 2
8 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 150 total points
ID: 12059330
Hello rdegroup =)

hmmmmm so have u yet tried checking ur Hosts file in c:\winnt\system32\drivers\etc\hosts
that if it contains the unwated entries,,, i mean just make sure :)

ofcourse as u said u are not able to use and post the logs files..... but giving u lots of spyware removal tools and asking to run them is useless, as u have already cleaned ur system lots on ur own, so u dont need them, do u :)

if u cannot post here those long logs, then what u can do is to post them here >> http://www.hijackthis.de/index.php?langselect=english

this sit ecan automatically analyse it for u, and can tell what are BAD things running on ur system... so u can work with them on ur own rather than posting them here and waiting for someone to analyse them for u, right :)
u can get the latest hijackthis version from here >> http://tools.radiosplace.com/HijackThis.exe

Post Back and Good Luck :)
0
 
LVL 6

Assisted Solution

by:knoxj81
knoxj81 earned 150 total points
ID: 12059341
First check your HOST file. Default host file will look like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost



____________ E N D____________

Also try Flushing your DNS.

START >> RUN : CMD

now that your in command prompt type:  ipconfig /flushdns

Let me know,

Jorden
0
 

Author Comment

by:rdegroup
ID: 12059424
Folks, thanks for the feedback and speedy at that.  I know th\e host files is fine, since I checked it carefully as an old Unix Networking guy would.  

I should have RTFM on ipconfig to find the flush command, but will take a look and see whether I can get it to help.

as for the HJT log, I need to go back and get that, as I only have th eprintout handy and I am sure you do not want a PDF scan of that !

more to come ...
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12059484
>> and I am sure you do not want a PDF scan of that !

lol.... no not at all... u can take ur time to work on it personally :)
Good Luck =)
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:rdegroup
ID: 12075444
Folks,

I have resolution.  The parasite in question managed somehow to insert it's own IP address into the top of the DNS list for the network adapter.  Hence all name queries were redirected to that para-site whenever I went looking for some site that might help me diagnose.

The Offending DNS entry was 209.47.15.118 for the record - and any future searchers.

I am going to split the points as you both helped my creative juices even if the solution was way over in left field.

Hope that is OK with you guys.

thanks
Roger
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12075475
no problem at all... glad u got it resolved :)
Cheers ^_^
0
 

Author Comment

by:rdegroup
ID: 12075478
The split does not look so good as I can oly assign one person as the accepted answer.  Sorry but you did help and I hope that is OK
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12076224
cool thanks man. I can't seem to pull up anything on that IP.

Anyone find anything?
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now