Dns cache may be hijacked ?

Posted on 2004-09-14
Last Modified: 2010-04-11
I have a system with an intermittent problem.  It had been infected with Blazefind and  Virtual bouncer Malware, but I removed them.

The current symptom is that when I attempt to got to certain sites (*, *, yahoo, and a couple of others) the result is a page which looks like a "cant find site" name problem page, but all the link lead to the findwhat search engine for credit-cards, online-casinos etc.

Obviously this is a hijacked system.  The effect is intermittent, and sometimes lets me google after a reboot.  I notice the sites that it hangs on seem to be ones that I would go to to look for how to remove it :(

Here is the kicker.  It is not just an IE problem.  I istalled Mozilla and it's little brother Firefox and they are also affected, so I have to assume that somthing has gotten to the network layered service provider stacks.

I can find a couple of people who are also searching for this solution, but no real answers.   I have several AV and Spyware detection programs take a look, but nothing so far.  System is Win 2k SP#, and I dont want to apply SP4 until I can fix it.

This is a royal pain to fix, since it is the bosses Home machine, so I dont have ready access to the machine to provide tons of HiJack this type logs quickly, but may be able to trickle them thru.
Question by:rdegroup
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
LVL 65

Accepted Solution

SheharyaarSaahil earned 150 total points
ID: 12059330
Hello rdegroup =)

hmmmmm so have u yet tried checking ur Hosts file in c:\winnt\system32\drivers\etc\hosts
that if it contains the unwated entries,,, i mean just make sure :)

ofcourse as u said u are not able to use and post the logs files..... but giving u lots of spyware removal tools and asking to run them is useless, as u have already cleaned ur system lots on ur own, so u dont need them, do u :)

if u cannot post here those long logs, then what u can do is to post them here >>

this sit ecan automatically analyse it for u, and can tell what are BAD things running on ur system... so u can work with them on ur own rather than posting them here and waiting for someone to analyse them for u, right :)
u can get the latest hijackthis version from here >>

Post Back and Good Luck :)

Assisted Solution

knoxj81 earned 150 total points
ID: 12059341
First check your HOST file. Default host file will look like this:

# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#          # source server
#              # x client host       localhost

____________ E N D____________

Also try Flushing your DNS.


now that your in command prompt type:  ipconfig /flushdns

Let me know,


Author Comment

ID: 12059424
Folks, thanks for the feedback and speedy at that.  I know th\e host files is fine, since I checked it carefully as an old Unix Networking guy would.  

I should have RTFM on ipconfig to find the flush command, but will take a look and see whether I can get it to help.

as for the HJT log, I need to go back and get that, as I only have th eprintout handy and I am sure you do not want a PDF scan of that !

more to come ...
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

LVL 65

Expert Comment

ID: 12059484
>> and I am sure you do not want a PDF scan of that !

lol.... no not at all... u can take ur time to work on it personally :)
Good Luck =)

Author Comment

ID: 12075444

I have resolution.  The parasite in question managed somehow to insert it's own IP address into the top of the DNS list for the network adapter.  Hence all name queries were redirected to that para-site whenever I went looking for some site that might help me diagnose.

The Offending DNS entry was for the record - and any future searchers.

I am going to split the points as you both helped my creative juices even if the solution was way over in left field.

Hope that is OK with you guys.

LVL 65

Expert Comment

ID: 12075475
no problem at all... glad u got it resolved :)
Cheers ^_^

Author Comment

ID: 12075478
The split does not look so good as I can oly assign one person as the accepted answer.  Sorry but you did help and I hope that is OK

Expert Comment

ID: 12076224
cool thanks man. I can't seem to pull up anything on that IP.

Anyone find anything?

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question