?
Solved

Does Spyware change your DNS settings?

Posted on 2005-04-12
9
Medium Priority
?
1,850 Views
Last Modified: 2008-01-09

on two computers recently I've seen....when you type in a website eg. www.google.com ...it would go (at the bottom
of the screen) searching www.google.com.net then www.google.com.org etc

They would do this with every site....an error page would then be displayed saying something about DNS error.

Is that spyware at work Secondly, is there an advantage to setting yoru DNS manually instead of just clicking "assign
DNS automatically"
0
Comment
Question by:jetsonx
9 Comments
 
LVL 5

Expert Comment

by:simonenticott
ID: 13768125
Hi,

lots of spyware will hijack your browser session and route stuff through alternative websites for various reasons (generate revenue for themselves, install other nasty software etc.), but i've not come across any spyware that changes your dns settings, though it really wouldn't surprise me if they did, it could be used by the writers to send you to false or phishing sites.  
I'd try running Adaware and Spybot to see if that picks anything up, they both have free versions:  
http://www.lavasoftusa.com/software/adaware/
http://www.safer-networking.org/en/index.html

as for your second question-
You should set your DNS to pickup automatically if you use DHCP - that is where the PC contacts a DHCP server (or your router/cable modem) and is given an IP address and other details it needs to connect to the network/internet etc.

Setting the DNS manually is fine if you know the address of the DNS servers.  You have to set it manually if you use static IP addresses, if you didn't your PC wouldn't know about any DNS servers to talk to.

Simon,
0
 
LVL 6

Expert Comment

by:icemanwol
ID: 13768229
It could be a hijacked host file.  Check C:\WINDOWS\system32\drivers\etc (or c:\windows for windows 98/me) then open the HOST file in notepad The only entry in there should be 127.0.0.1 localhost
0
 
LVL 8

Assisted Solution

by:bilbus
bilbus earned 320 total points
ID: 13769317
IE laso has a setting to add .com .org. net to a url if it cant find the dot com. You probaly have a broken TCPI stack. Try to repair your LSP

http://www.cexx.org/lspfix.htm

that will fix it
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 3

Assisted Solution

by:Beluga
Beluga earned 120 total points
ID: 13774268
On it's own, this behaviour doesn't indicate spyware. It happens when IE can't connect to a DNS server, or when it can't connect to the Internet at all.

If it can't find, e.g. www.google.com, it will assume that you've missed out part of the name, and will start trying different suffixes (www.google.com.com, www.google.com.org). So on a machine with a working Internet connection, if you type www.google, you will eventually get through to www.google.com, www.google.org, or something (depending on the order it tries).

There's a setting in Internet Options that turns this behaviour on and off.

As to the root cause of the problem, it could a number of things: static IP address missing, DHCP server not responding, incorrect DNS server details, etc. etc. Troubleshoot as any other Internet connection problem (e.g. IPCONFIG).

As for the second question, my approach is: if it ain't broke, don't fix it. If the automatically assigned DNS servers aren't causing a problem, then leave them automatically assigned. If they're causing a problem, then try manual configuration but put it back to automatic when the problem is solved.
0
 

Accepted Solution

by:
ghods earned 120 total points
ID: 13789965
Please check your HOSTS file entry. You may view the file under c:\windows\system32\drivers\etc directory.
Generally worms or spywares blocks you from visiting antivirus vendor sites or genrally visited sites such as windowsupdate.microsoft.com

It add entry in HOSTS file such as...
127.0.0.1 symantec.com
127.0.0.1 windowsupdate.microsoft.com

Remember, before connecting to your DNS server your OS reads HOSTS file entry, if it finds a match it connects to that IP.

Moreover, I have seen worms doing this kinda act than spywares.

Cheers :)
0
 
LVL 3

Expert Comment

by:Beluga
ID: 13793433
It cannot be the HOSTS file in this example.

The HOSTS file only changes the IP address that the browser visits. It does not (and cannot) affect the URL displayed in IE. Try it with some settings of your own.
0
 

Author Comment

by:jetsonx
ID: 13809879
bilbus, I think your suggested LSP fix solved the problem. Beluga, yip, it was not the hosts file...ghods I gave you some points because adding the virus producer  in the hosts file seemed to make an update possible,

Thanks guyz.

ps: beluga: "There's a setting in Internet Options that turns this behaviour on and off" just for future refernence, where is that setting?
0
 
LVL 3

Expert Comment

by:Beluga
ID: 13810851
Turning off the IE setting:

This is one of those occasions where I've seen it done, but I don't know exactly how. And I'm afraid I use Mozilla rather than IE!

Having said that, a quick web search shows it *might* be the following setting in TCP/IP properties, and not in IE:

http://support.microsoft.com/default.aspx?scid=kb;en-us;305553#5

The above is for XP, but the Windows 2000 settings should be in the same place. In Windows 98, it's in TCP/IP properties -> DNS Configuration -> Domain suffix search order.

Hope this is of some help! :o)
0
 

Author Comment

by:jetsonx
ID: 13811575
Thanks for that Beluga.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question