can't access google... suspect DNS

one of our staff has got themselves a nasty malware infection.  I've since removed it and the computer is functioning ok again except google (and yahoo).
It doesn't matter which browser is used, google "can not be found" and yahoo loads, but no search results work.
If i ping the urls, they resolve to something quite different from other PC's in the office.
I thought, maybe the malware put a dummy proxy in - nothing found.
So maybe it changed the hosts file - all looks normal.
So i did ipconfig /all - settings (except ip) are identical to the other pc's.
So i did ipconfig /flushdns - didn't help.

Where else in Win XP (SP3) can settings be changed to cause these problems?
LVL 8
Reece DoddsAsked:
Who is Participating?
 
optomaCommented:
Ok.
Can you run this quick scanner first before Combofix. Post logs for all :)
http://www.surfright.nl/en/hitmanpro Hitmanpro
0
 
dbruntonCommented:
Check this location in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

and see that it points to your Hosts file.
0
 
AriMcCommented:
Wild idea: Are the ipconfig.exe sizes, dates and md5 hashes same on this computer and the others? Maybe the virus changed that and is returning the old saved values?

0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
Sudeep SharmaTechnical DesignerCommented:
0
 
Reece DoddsAuthor Commented:
thanks guys

laptop is on it's way to me now so i can work on it in person rather than remotely

i'll let you know of my findings
0
 
aleghartCommented:
If you're getting hands-on, might be a good time to re-image or re-install the entire thing.  Much cleaner than cleaning up after malware and years of use.
0
 
optomaCommented:
Any name on malware and what tools used to clean it?

If needed, run Combofix and post log here which maybe useful :)
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
Reece DoddsAuthor Commented:
just need to get it working for the solicitor to use over the remainder of this week and next.
we're purchasing him a new laptop prior to him going OS on the 20th.  Once he's gone i'll format the s**t out of the drive.

don't remember the name of the malware infection, it was a variant of the antivirus 2011 scareware type one.  it hijacked all his google search results, disabled security centre and symantec endpoint.
use fully updated malwarebytes in safe-mode to remove it.
plus ur standard IE8 reset, msconfig, disk cleanup etc.
0
 
YotefnCommented:
Check the following file:

c:\windows\system32\drivers\etc\hosts

for any entries other than the standard 127.0.0.1 localhost address.

Anything else in there will mess up dns.
0
 
phototropicCommented:
You could reset your hosts file via Hostsxpert:

http://www.funkytoad.com/index.php?option=com_content&id=13

Some malware will mess with the hosts file, or lock it so that you are denied access to edit it.

I recently helped an asker with this problem. See if the hosts file procedures here will help:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_26804419.html

Good luck!!!
0
 
Russell_VenableCommented:
This is definitely a reminent of TDSS 3. Did the TDSS.sys driver get removed fully by MBAM? If not use unhackme to make sure. The rootkit installed by TDSS 3 was much harder to rid of even using MBAM. The new layer they goto install is a low level access. Makes it harder to detect if the scanner is not at boot sector level. MBAM is not designed to by default is not designed to scan boot sector. Unhackme is designed to run before any driver is loaded and creates a virtual sandbox for rootkit control. I prefer using this if there is a rootkit involved doing malware analysis myself in my lab. Those chinese hackers are at it again...Dang it! Here is the link http://www.greatis.com/unhackme/

Be sure to check the other experts comments closely and follow directions to the point. Malware disinfection is no joking business.

Knowledge for today:
Here it comes! Did you know that the developer of the rootkit liked reciting poetry? So says the poetic notes left in the binary they so thoughtfully left behind for analyists. They also like Homer Simpson!
0
 
younghvCommented:
If you're going to blow away that computer and re-image it, you won't need these instructions, but you can save them for the next time one of your users gets infected.

NOTE: This is NOT one of the malware variants for which you should use MBAM in Safe Mode. Safe Mode is almost never recommended for MBAM and should always be followed with a "Normal Mode" scan.

(http://forums.malwarebytes.org/index.php?showtopic=17334&pid=89009&mode=threaded&start=#entry89009)

The actual removal steps for "AntiVirus System 2011" are here:

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011
0
 
lancecurwensvilleCommented:
Winsock Fix.  
download, run, reboot when prompted.
This will reset hosts file and tcp/ip stack

http://www.snapfiles.com/get/winsockxpfix.html

0
 
Reece DoddsAuthor Commented:
finally got the system today...

Working through your posts 1by1.

@
dbrunton:Check this location in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

and see that it points to your Hosts file.

It points to %SystemRoot%\System32\drivers\etc which is normal.
0
 
Reece DoddsAuthor Commented:
@ SSharma:   Kapersky's TDSS killer found 0 threats.  Symantec's one is running now.
0
 
younghvCommented:
Note the actual title of the instructions at the link I gave you:

"Remove AntiVirus System 2011"
Based on what your user described, it would seem a good place to start.
*************

The actual removal steps for "AntiVirus System 2011" are here:

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011 
0
 
Reece DoddsAuthor Commented:
Whoa....  I just found the problem.

The malware set the hosts file as a system file, which was previously hidden on this computer and added another file called hosts which looked normal.

I found this because i deleted all files in the etc folder, and went to move clean ones accross from another computer but it said that the hosts file already exists.  size mismatch too! (the existing one was 2.7KB and the clean file i was moving was 773b)...

So i turned on show system files, and found the modified file.
Here is what it contains:


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
204.152.194.204 www.google.com 
204.152.194.204 google.com
204.152.194.204 google.com.au
204.152.194.204 www.google.com.au
204.152.194.204 google.be
204.152.194.204 www.google.be
204.152.194.204 google.com.br
204.152.194.204 www.google.com.br
204.152.194.204 google.ca
204.152.194.204 www.google.ca
204.152.194.204 google.ch
204.152.194.204 www.google.ch
204.152.194.204 google.de
204.152.194.204 www.google.de
204.152.194.204 google.dk
204.152.194.204 www.google.dk
204.152.194.204 google.fr
204.152.194.204 www.google.fr
204.152.194.204 google.ie
204.152.194.204 www.google.ie
204.152.194.204 google.it
204.152.194.204 www.google.it
204.152.194.204 google.co.jp
204.152.194.204 www.google.co.jp
204.152.194.204 google.nl
204.152.194.204 www.google.nl
204.152.194.204 google.no
204.152.194.204 www.google.no
204.152.194.204 google.co.nz
204.152.194.204 www.google.co.nz
204.152.194.204 google.pl
204.152.194.204 www.google.pl
204.152.194.204 google.se
204.152.194.204 www.google.se
204.152.194.204 google.co.uk
204.152.194.204 www.google.co.uk
204.152.194.204 google.co.za
204.152.194.204 www.google.co.za
204.152.194.204 www.google-analytics.com
204.152.194.204 www.bing.com
204.152.194.204 search.yahoo.com
204.152.194.204 www.search.yahoo.com
204.152.194.204 uk.search.yahoo.com
204.152.194.204 ca.search.yahoo.com
204.152.194.204 de.search.yahoo.com
204.152.194.204 fr.search.yahoo.com
204.152.194.204 au.search.yahoo.com
0
 
younghvCommented:
OK - this the third time we've seen this on EE that I know of - all related to an infected router.

Similar symptoms - and of course, as soon as you clean the computer, it gets reinfected.

More to follow.
0
 
younghvCommented:
Try using this HOSTS file first - it might at least get you connecting.

http://www.mvps.org/winhelp2002/hosts.htm
0
 
Reece DoddsAuthor Commented:
the question is now... what services to i disable to be able to modify or delete the bad hosts file?

can i change the registry location of it?

@ youngv:  i hadn't got to your post yet.  don't fret, i will run your link anyway
0
 
younghvCommented:
As a Techie, you probably already know this - but if you can't 'replace' it with the MVPS HOSTS file, you can simply delete the HOSTS file and re-boot.
Windows will recreate the generic one when the system comes back up.
0
 
younghvCommented:
Sorry - we're cross posting.

Strike my comment above about the router - I think this is just the plain old "AntiVirus System 2011"

Rkill will stop the malware processes:
http://www.bleepingcomputer.com/download/anti-virus/rkill
0
 
younghvCommented:
"phototropic" was the first to mention the HOSTS file and suggest a replacement.
http:#a35034361

I apologize for overlooking that. He is a real pro at this stuff and you can trust his advice.

There are a couple of real garbage posts here that you should ignore.

"ComboFix", "TdssKiller", and "Hitmanpro" are NOT indicated for these symptoms.
0
 
Reece DoddsAuthor Commented:
ok... i've somehow renamed the compromised hosts file to "hosts-bad".
I've moved all clean etc files into the laptop's etc folder.
restarted the computer and i can now access google, yahoo and all the other norms.

I still can't delete "hosts-bad" though... it says "Cannot delete hosts-bad: Access is denied.  Make sure that the disk is not full or write-protected and that the file is not currently in use." OK.

Just a note, this file is now a "system file" whereas a normal hosts file isn't.

Any ideas?
0
 
younghvCommented:
You may have to re-boot to "Safe Mode", plus there are some hard-corps file deleters I have used in the past.

Try 'right-clicking' on that file, go to Properties, and "Take Ownership".

That might enable you do delete it without re-booting.
0
 
Reece DoddsAuthor Commented:
thanks mate...
hitmanpro is reporting that IE is using a proxy server on the PC:  127.0.0.1:25576

ignore?
0
 
younghvCommented:
I would go into your networking properties (or IE) and remove the 'Proxy' check mark.
Picture to follow.
0
 
Reece DoddsAuthor Commented:
dude... i know where that is... if you read my O.P i said that there is no proxy settings there at all.
anyways... i've ignored hitmanpro's suggestion.

rebooted into safe-mode.  I already have ownership of the hosts-bad file, but the permissions were set to read-only.  I changed to full control, deleted the file, rebooted and so far, all seems well.

thanks.
0
 
younghvCommented:
Pictures Tools Options in IE LAN Settings
0
 
younghvCommented:
Oops!
I'll save those pics for someone who needs them.
Forgot to refresh my damn screen.
0
 
Reece DoddsAuthor Commented:
all seems well.  one thing though...

i did another reset of IE8 and it keeps putting a freaking ebay url as the homepage.  any ideas what is causing this?
0
 
AriMcCommented:
In this scenario I'd also seriously consider backing up the vital data on the user's computer, then simply wipe the hard disk and reinstalling everything.

This is what sometimes happens to Windows.

0
 
younghvCommented:
The last thing I saw was that you ran "HitmanPro" (which is not really indicated for this) - but have you yet gone through the detailed instructions at the link I posted?
**************

AriMc - read the Asker's comment here: http:#a35032789 - the idea is to get the computer functioning and back to the user.

Format/reinstall is planned for the future.
0
 
Reece DoddsAuthor Commented:
He is getting a new laptop within the week as he goes to europe on the 20th.
After he goes and leaves me with this STD machine, i will be doing a full rebuild before passing on to a more cautious staff member...
0
 
optomaCommented:
I wouldn't leave that proxy setting. BTW , what software firewall is in use?
0
 
Russell_VenableCommented:
@Reecem27, check to see if you have files named ssta5 or similar in your windows\temp, system32, and last system32\prefetch folder the recent rootkit that is starting to spread is using these locations to store vital files for it run. Just curious if this is the same kit used. It does a few thighs different then the past rootkits.
0
 
Russell_VenableCommented:
I forgot to add there will also be file names user with random characters like 2g6gjddj.exe.179ah not your normal polymorphic file name variation.
0
 
AriMcCommented:
younghv: Sometimes it's (at least financially speaking) better to just start over instead of spending dozens of hours on a simple laptop with a serious problem.

I mean: a soliciter probably has a number of his/her own documents on the computer and nothing else that can't be easily replaced with a fresh install. Even a  new medium range laptop costs just about 2 hours of work of a professional computer technician, so what's the point of trying to find the root cause of it?
(academic interest would be a valid point, but not viable in a commercial
environment).





0
 
Reece DoddsAuthor Commented:
@ AriMc and younghv:  as any tech knows, you always try for a quick fix... if that fails or is starting to use too much time, rebuild the damn thing!

So yeah, i was looking for a suggestion or utility that would fix the issue without spending hours of reading up on how to use the program or reprogramming the matrix...  if they were unsuccessful, i'd backup, wipe and reinstall.  

That said, as i mentioned in my first post today younghv, i'd received such an overwhelming list of suggestions, i thought it best to work through them in FIFO method (first-in-first-out).  Hitmanpro was suggestion 3.

I'm about to close this question, and credit will go to what i feel the best suggestion that led to my compromised hosts file discovery was.

many of these posts were redundant because they were suggesting that i check something i'd already done and stated in the OP.
0
 
optomaCommented:
Just dont forget to remove the proxy using Hitmanpro or Hijakthis, if present as it stands and if using windows firewall, check the exceptions tab entries :)
0
 
Reece DoddsAuthor Commented:
It was Hitmanpro that made me doubletake on the hosts file situation, Phototropic's idea of resetting it that gave me the idea of using the etc folder from another PC, and younghv's help that allowed me to remove the hosts-bad file.

Thanks again for everyone's input.
0
 
optomaCommented:
No prob reecem27.
0
 
phototropicCommented:
I've been off-line all day - sorry not to get back to you.

Glad to hear that your problem is resolved.
0
 
Russell_VenableCommented:
Anyways... I would suggest you keep track of your internet traffic with snort and lswt rules looking for traffic coming from that proxy address:port and the router address and see if you get any hit traffic if you do the problem may persist and there may be reason to reset the router to default settings after backing up settings, update, and then reconfigure, next all you can do is hope the update is not flawed as well.
0
 
Reece DoddsAuthor Commented:
not to worry Russell... we run a Juniper hardware firewall and I most definately do not have that port open.  I'm a network nazi during office hours.
0
 
Russell_VenableCommented:
Sounds good =) hope all is well then
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.