[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Dns cache may be hijacked ?

Posted on 2004-09-14
8
Medium Priority
?
197 Views
Last Modified: 2010-04-11
I have a system with an intermittent problem.  It had been infected with Blazefind and  Virtual bouncer Malware, but I removed them.

The current symptom is that when I attempt to got to certain sites (*.google.com, *.microsoft.com, yahoo, and a couple of others) the result is a page which looks like a "cant find site" name problem page, but all the link lead to the findwhat search engine for credit-cards, online-casinos etc.

Obviously this is a hijacked system.  The effect is intermittent, and sometimes lets me google after a reboot.  I notice the sites that it hangs on seem to be ones that I would go to to look for how to remove it :(

Here is the kicker.  It is not just an IE problem.  I istalled Mozilla and it's little brother Firefox and they are also affected, so I have to assume that somthing has gotten to the network layered service provider stacks.

I can find a couple of people who are also searching for this solution, but no real answers.   I have several AV and Spyware detection programs take a look, but nothing so far.  System is Win 2k SP#, and I dont want to apply SP4 until I can fix it.

This is a royal pain to fix, since it is the bosses Home machine, so I dont have ready access to the machine to provide tons of HiJack this type logs quickly, but may be able to trickle them thru.
0
Comment
Question by:rdegroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 450 total points
ID: 12059330
Hello rdegroup =)

hmmmmm so have u yet tried checking ur Hosts file in c:\winnt\system32\drivers\etc\hosts
that if it contains the unwated entries,,, i mean just make sure :)

ofcourse as u said u are not able to use and post the logs files..... but giving u lots of spyware removal tools and asking to run them is useless, as u have already cleaned ur system lots on ur own, so u dont need them, do u :)

if u cannot post here those long logs, then what u can do is to post them here >> http://www.hijackthis.de/index.php?langselect=english

this sit ecan automatically analyse it for u, and can tell what are BAD things running on ur system... so u can work with them on ur own rather than posting them here and waiting for someone to analyse them for u, right :)
u can get the latest hijackthis version from here >> http://tools.radiosplace.com/HijackThis.exe

Post Back and Good Luck :)
0
 
LVL 6

Assisted Solution

by:knoxj81
knoxj81 earned 450 total points
ID: 12059341
First check your HOST file. Default host file will look like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost



____________ E N D____________

Also try Flushing your DNS.

START >> RUN : CMD

now that your in command prompt type:  ipconfig /flushdns

Let me know,

Jorden
0
 

Author Comment

by:rdegroup
ID: 12059424
Folks, thanks for the feedback and speedy at that.  I know th\e host files is fine, since I checked it carefully as an old Unix Networking guy would.  

I should have RTFM on ipconfig to find the flush command, but will take a look and see whether I can get it to help.

as for the HJT log, I need to go back and get that, as I only have th eprintout handy and I am sure you do not want a PDF scan of that !

more to come ...
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12059484
>> and I am sure you do not want a PDF scan of that !

lol.... no not at all... u can take ur time to work on it personally :)
Good Luck =)
0
 

Author Comment

by:rdegroup
ID: 12075444
Folks,

I have resolution.  The parasite in question managed somehow to insert it's own IP address into the top of the DNS list for the network adapter.  Hence all name queries were redirected to that para-site whenever I went looking for some site that might help me diagnose.

The Offending DNS entry was 209.47.15.118 for the record - and any future searchers.

I am going to split the points as you both helped my creative juices even if the solution was way over in left field.

Hope that is OK with you guys.

thanks
Roger
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12075475
no problem at all... glad u got it resolved :)
Cheers ^_^
0
 

Author Comment

by:rdegroup
ID: 12075478
The split does not look so good as I can oly assign one person as the accepted answer.  Sorry but you did help and I hope that is OK
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12076224
cool thanks man. I can't seem to pull up anything on that IP.

Anyone find anything?
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question