techtogo
asked on
DNS Issue - Pings to anti-virus/spyware sites resolving to 127.0.0.1
I've got a system that had a bunch of spyware on it and I've been able to remove the bulk of it, but now the only problem left is that when I try and browse to certain websites (grisoft.com, symantec.com, Windowsupdate.microsoft.co m, etc) it resolves the address to my local loopback address (127.0.0.1) and then oftentimes will do a Google search for that URL and the results will point me to spyware riddled websites.
I've done scans with AVG, SuperAntiSpyware, HijackThis, and even some manual removal of items, but I'm at a loss on why this is happening. I've checked my Hosts/LMHosts files and there aren't any entries in there either.
Hopefully someone can please help me out with this. I'd like to avoid having to reload this PC if possible. Thanks!
I've done scans with AVG, SuperAntiSpyware, HijackThis, and even some manual removal of items, but I'm at a loss on why this is happening. I've checked my Hosts/LMHosts files and there aren't any entries in there either.
Hopefully someone can please help me out with this. I'd like to avoid having to reload this PC if possible. Thanks!
Hi,
Suggestions....
Thanks
Nitin Gupta
Suggestions....
- It looks like a classic case of IE Hijacking....please follow these links to correct that...
- Also goto Start --> Run --> Cmd -> ping and see if you can successfully ping to these websites (i mean does not goto loopback IP), if loopback then....
-
- Please have a look at your HOST file [c:\Windows\System32\drive
rs\etc\hos ts] and see if there are any entries there for the websites pointing to your loopback address. Remove them ! - Goto Start --> Run --> Cmd -> nslookup and let me know whether these websites are being resolved to correct IPs or loopback IP. If Loopback address, then we will check the DNS Server.
- Please have a look at your HOST file [c:\Windows\System32\drive
Thanks
Nitin Gupta
So you think your system is cleaned other than this? Assuming you can clear up that issue, are you really saying you believe you're safe enough to do your online banking and other financial transactions? How much time have you put into cleaning up the system so far? I've reached a point where, especially after attending FBI sponsored meetings on malware and security user group meetings, I will not clean a machine - there's too much and it's a LOSING BATTLE. If you're infected, the safest, most practical thing to do is wipe and reinstall. Some malware will even do things to fix your computer... but that doesn't mean these bad guys won't still you identity of something.
Wipe it and reinstall. Then go buy a product like Acronis True Image and create periodic images so you can always restore to a point if something like this happens again.
Wipe it and reinstall. Then go buy a product like Acronis True Image and create periodic images so you can always restore to a point if something like this happens again.
ASKER
OK, I did the NSLookup on several of the addresses that I can't browse to and they come back with the correct address, so that works. It's just when I ping them or try to browse to them that they end up going to the 127 address.
Also, this is happening in both IE and Firefox, so it's definitely not something specific to IE.
Finally, I checked the Run/Run Once registry entries and there isn't anything there that shouldn't be.
Does anyone have any suggestions based on this additional information? Thanks!
Also, this is happening in both IE and Firefox, so it's definitely not something specific to IE.
Finally, I checked the Run/Run Once registry entries and there isn't anything there that shouldn't be.
Does anyone have any suggestions based on this additional information? Thanks!
check your host file as mentioned above, a lot of spyware will put well know sites in there to go to localhost
ASKER
Sorry, I forgot to mention that I had also checked the hosts file and there is nothing in there except for the default entry. Thanks!
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Hi Techtogo,
Please confirm the steps I had suggested in my previous post
Thanks
Nitin
Please confirm the steps I had suggested in my previous post
Thanks
Nitin
Also, post your HijackThis log for us to take a look and get a second opinion on.
ASKER
ComboFix did the trick. Looks like it was a DNS hijack running as a rootkit attack. Thanks shakoush2001!
ASKER
ComboFix did the trick. Looks like it was a DNS hijack running as a rootkit attack and ComboFix removed it easily.
Glad it worked
And I hope you're right... I hope nothing else has infected you that you're unaware of. Otherwise, I hope your money and identity aren't important to you.
Agree - 100% with Lee Wilbur !
Best of Luck !!
Best of Luck !!
Which machine is infected with spyware? is it the DNS server itself?
You mentioned that some websites resolve to your loopback address. Are you trying to PING those website?
Are you typing them into IE directly and you can't reach them?
Did you try to do NSLOOKUP and see if they still resolve to loopback?
Make sure you check registry entries @ HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
This is where most of the stuff reside that becomes active on startup. If you see any junk there, take it off the machine.