Does Spyware change your DNS settings?


on two computers recently I've seen....when you type in a website eg. www.google.com ...it would go (at the bottom
of the screen) searching www.google.com.net then www.google.com.org etc

They would do this with every site....an error page would then be displayed saying something about DNS error.

Is that spyware at work Secondly, is there an advantage to setting yoru DNS manually instead of just clicking "assign
DNS automatically"
jetsonxAsked:
Who is Participating?
 
ghodsCommented:
Please check your HOSTS file entry. You may view the file under c:\windows\system32\drivers\etc directory.
Generally worms or spywares blocks you from visiting antivirus vendor sites or genrally visited sites such as windowsupdate.microsoft.com

It add entry in HOSTS file such as...
127.0.0.1 symantec.com
127.0.0.1 windowsupdate.microsoft.com

Remember, before connecting to your DNS server your OS reads HOSTS file entry, if it finds a match it connects to that IP.

Moreover, I have seen worms doing this kinda act than spywares.

Cheers :)
0
 
simonenticottCommented:
Hi,

lots of spyware will hijack your browser session and route stuff through alternative websites for various reasons (generate revenue for themselves, install other nasty software etc.), but i've not come across any spyware that changes your dns settings, though it really wouldn't surprise me if they did, it could be used by the writers to send you to false or phishing sites.  
I'd try running Adaware and Spybot to see if that picks anything up, they both have free versions:  
http://www.lavasoftusa.com/software/adaware/
http://www.safer-networking.org/en/index.html

as for your second question-
You should set your DNS to pickup automatically if you use DHCP - that is where the PC contacts a DHCP server (or your router/cable modem) and is given an IP address and other details it needs to connect to the network/internet etc.

Setting the DNS manually is fine if you know the address of the DNS servers.  You have to set it manually if you use static IP addresses, if you didn't your PC wouldn't know about any DNS servers to talk to.

Simon,
0
 
icemanwolCommented:
It could be a hijacked host file.  Check C:\WINDOWS\system32\drivers\etc (or c:\windows for windows 98/me) then open the HOST file in notepad The only entry in there should be 127.0.0.1 localhost
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
bilbusCommented:
IE laso has a setting to add .com .org. net to a url if it cant find the dot com. You probaly have a broken TCPI stack. Try to repair your LSP

http://www.cexx.org/lspfix.htm

that will fix it
0
 
BelugaCommented:
On it's own, this behaviour doesn't indicate spyware. It happens when IE can't connect to a DNS server, or when it can't connect to the Internet at all.

If it can't find, e.g. www.google.com, it will assume that you've missed out part of the name, and will start trying different suffixes (www.google.com.com, www.google.com.org). So on a machine with a working Internet connection, if you type www.google, you will eventually get through to www.google.com, www.google.org, or something (depending on the order it tries).

There's a setting in Internet Options that turns this behaviour on and off.

As to the root cause of the problem, it could a number of things: static IP address missing, DHCP server not responding, incorrect DNS server details, etc. etc. Troubleshoot as any other Internet connection problem (e.g. IPCONFIG).

As for the second question, my approach is: if it ain't broke, don't fix it. If the automatically assigned DNS servers aren't causing a problem, then leave them automatically assigned. If they're causing a problem, then try manual configuration but put it back to automatic when the problem is solved.
0
 
BelugaCommented:
It cannot be the HOSTS file in this example.

The HOSTS file only changes the IP address that the browser visits. It does not (and cannot) affect the URL displayed in IE. Try it with some settings of your own.
0
 
jetsonxAuthor Commented:
bilbus, I think your suggested LSP fix solved the problem. Beluga, yip, it was not the hosts file...ghods I gave you some points because adding the virus producer  in the hosts file seemed to make an update possible,

Thanks guyz.

ps: beluga: "There's a setting in Internet Options that turns this behaviour on and off" just for future refernence, where is that setting?
0
 
BelugaCommented:
Turning off the IE setting:

This is one of those occasions where I've seen it done, but I don't know exactly how. And I'm afraid I use Mozilla rather than IE!

Having said that, a quick web search shows it *might* be the following setting in TCP/IP properties, and not in IE:

http://support.microsoft.com/default.aspx?scid=kb;en-us;305553#5

The above is for XP, but the Windows 2000 settings should be in the same place. In Windows 98, it's in TCP/IP properties -> DNS Configuration -> Domain suffix search order.

Hope this is of some help! :o)
0
 
jetsonxAuthor Commented:
Thanks for that Beluga.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.