Link to home
Create AccountLog in
Avatar of techtogo
techtogo

asked on

DNS Issue - Pings to anti-virus/spyware sites resolving to 127.0.0.1

I've got a system that had a bunch of spyware on it and I've been able to remove the bulk of it, but now the only problem left is that when I try and browse to certain websites (grisoft.com, symantec.com, Windowsupdate.microsoft.com, etc) it resolves the address to my local loopback address (127.0.0.1) and then oftentimes will do a Google search for that URL and the results will point me to spyware riddled websites.

I've done scans with AVG, SuperAntiSpyware, HijackThis, and even some manual removal of items, but I'm at a loss on why this is happening.  I've checked my Hosts/LMHosts files and there aren't any entries in there either.

Hopefully someone can please help me out with this.  I'd like to avoid having to reload this PC if possible.  Thanks!
Avatar of lavionline
lavionline

Although you can still try to recover this server back to it's original state, but it is recommended that you do a re-install.
Which machine is infected with spyware? is it the DNS server itself?
You mentioned that some websites resolve to your loopback address. Are you trying to PING those website?
Are you typing them into IE directly and you can't reach them?
Did you try to do NSLOOKUP and see if they still resolve to loopback?
Make sure you check registry entries @ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once
This is where most of the stuff reside that becomes active on startup. If you see any junk there, take it off the machine.
Avatar of Nitin Gupta
Hi,
Suggestions....
  • It looks like a classic case of IE Hijacking....please follow these links to correct that...
  • Also goto Start --> Run --> Cmd -> ping and see if you can successfully ping to these websites (i mean does not goto loopback IP), if loopback then....
    • Please have a look at your HOST file [c:\Windows\System32\drivers\etc\hosts] and see if there are any entries there for the websites pointing to your loopback address. Remove them !
    • Goto Start --> Run --> Cmd -> nslookup and let me know whether these websites are being resolved to correct IPs or loopback IP. If Loopback address, then we will check the DNS Server.
Please do let me know what you get.
Thanks
Nitin Gupta
So you think your system is cleaned other than this?  Assuming you can clear up that issue, are you really saying you believe you're safe enough to do your online banking and other financial transactions?  How much time have you put into cleaning up the system so far?  I've reached a point where, especially after attending FBI sponsored meetings on malware and security user group meetings, I will not clean a machine - there's too much and it's a LOSING BATTLE.  If you're infected, the safest, most practical thing to do is wipe and reinstall.  Some malware will even do things to fix your computer... but that doesn't mean these bad guys won't still you identity of something.

Wipe it and reinstall.  Then go buy a product like Acronis True Image and create periodic images so you can always restore to a point if something like this happens again.
Avatar of techtogo

ASKER

OK, I did the NSLookup on several of the addresses that I can't browse to and they come back with the correct address, so that works.  It's just when I ping them or try to browse to them that they end up going to the 127 address.

Also, this is happening in both IE and Firefox, so it's definitely not something specific to IE.

Finally, I checked the Run/Run Once registry entries and there isn't anything there that shouldn't be.

Does anyone have any suggestions based on this additional information?  Thanks!
check your host file as mentioned above, a lot of spyware will put well know sites in there to go to localhost
Sorry, I forgot to mention that I had also checked the hosts file and there is nothing in there except for the default entry.  Thanks!
ASKER CERTIFIED SOLUTION
Avatar of http:// thevpn.guru
http:// thevpn.guru
Flag of Denmark image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Hi Techtogo,
Please confirm the steps I had suggested in my previous post
Thanks
Nitin
Also, post your HijackThis log for us to take a look and get a second opinion on.
ComboFix did the trick.  Looks like it was a DNS hijack running as a rootkit attack.  Thanks shakoush2001!
ComboFix did the trick. Looks like it was a DNS hijack running as a rootkit attack and ComboFix removed it easily.
Glad it worked
And I hope you're right... I hope nothing else has infected you that you're unaware of.  Otherwise, I hope your money and identity aren't important to you.
Agree - 100% with Lee Wilbur !
Best of Luck !!