Solved

Dns cache may be hijacked ?

Posted on 2004-09-14
8
193 Views
Last Modified: 2010-04-11
I have a system with an intermittent problem.  It had been infected with Blazefind and  Virtual bouncer Malware, but I removed them.

The current symptom is that when I attempt to got to certain sites (*.google.com, *.microsoft.com, yahoo, and a couple of others) the result is a page which looks like a "cant find site" name problem page, but all the link lead to the findwhat search engine for credit-cards, online-casinos etc.

Obviously this is a hijacked system.  The effect is intermittent, and sometimes lets me google after a reboot.  I notice the sites that it hangs on seem to be ones that I would go to to look for how to remove it :(

Here is the kicker.  It is not just an IE problem.  I istalled Mozilla and it's little brother Firefox and they are also affected, so I have to assume that somthing has gotten to the network layered service provider stacks.

I can find a couple of people who are also searching for this solution, but no real answers.   I have several AV and Spyware detection programs take a look, but nothing so far.  System is Win 2k SP#, and I dont want to apply SP4 until I can fix it.

This is a royal pain to fix, since it is the bosses Home machine, so I dont have ready access to the machine to provide tons of HiJack this type logs quickly, but may be able to trickle them thru.
0
Comment
Question by:rdegroup
  • 3
  • 3
  • 2
8 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 150 total points
ID: 12059330
Hello rdegroup =)

hmmmmm so have u yet tried checking ur Hosts file in c:\winnt\system32\drivers\etc\hosts
that if it contains the unwated entries,,, i mean just make sure :)

ofcourse as u said u are not able to use and post the logs files..... but giving u lots of spyware removal tools and asking to run them is useless, as u have already cleaned ur system lots on ur own, so u dont need them, do u :)

if u cannot post here those long logs, then what u can do is to post them here >> http://www.hijackthis.de/index.php?langselect=english

this sit ecan automatically analyse it for u, and can tell what are BAD things running on ur system... so u can work with them on ur own rather than posting them here and waiting for someone to analyse them for u, right :)
u can get the latest hijackthis version from here >> http://tools.radiosplace.com/HijackThis.exe

Post Back and Good Luck :)
0
 
LVL 6

Assisted Solution

by:knoxj81
knoxj81 earned 150 total points
ID: 12059341
First check your HOST file. Default host file will look like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost



____________ E N D____________

Also try Flushing your DNS.

START >> RUN : CMD

now that your in command prompt type:  ipconfig /flushdns

Let me know,

Jorden
0
 

Author Comment

by:rdegroup
ID: 12059424
Folks, thanks for the feedback and speedy at that.  I know th\e host files is fine, since I checked it carefully as an old Unix Networking guy would.  

I should have RTFM on ipconfig to find the flush command, but will take a look and see whether I can get it to help.

as for the HJT log, I need to go back and get that, as I only have th eprintout handy and I am sure you do not want a PDF scan of that !

more to come ...
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12059484
>> and I am sure you do not want a PDF scan of that !

lol.... no not at all... u can take ur time to work on it personally :)
Good Luck =)
0
 

Author Comment

by:rdegroup
ID: 12075444
Folks,

I have resolution.  The parasite in question managed somehow to insert it's own IP address into the top of the DNS list for the network adapter.  Hence all name queries were redirected to that para-site whenever I went looking for some site that might help me diagnose.

The Offending DNS entry was 209.47.15.118 for the record - and any future searchers.

I am going to split the points as you both helped my creative juices even if the solution was way over in left field.

Hope that is OK with you guys.

thanks
Roger
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12075475
no problem at all... glad u got it resolved :)
Cheers ^_^
0
 

Author Comment

by:rdegroup
ID: 12075478
The split does not look so good as I can oly assign one person as the accepted answer.  Sorry but you did help and I hope that is OK
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12076224
cool thanks man. I can't seem to pull up anything on that IP.

Anyone find anything?
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
md5 password 3 74
Open Encryption Software Advice needed 4 68
ticket bloat 3 51
PCI compliance 16 50
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question