Solved

can't access google... suspect DNS

Posted on 2011-03-03
47
1,172 Views
Last Modified: 2013-11-22
one of our staff has got themselves a nasty malware infection.  I've since removed it and the computer is functioning ok again except google (and yahoo).
It doesn't matter which browser is used, google "can not be found" and yahoo loads, but no search results work.
If i ping the urls, they resolve to something quite different from other PC's in the office.
I thought, maybe the malware put a dummy proxy in - nothing found.
So maybe it changed the hosts file - all looks normal.
So i did ipconfig /all - settings (except ip) are identical to the other pc's.
So i did ipconfig /flushdns - didn't help.

Where else in Win XP (SP3) can settings be changed to cause these problems?
0
Comment
Question by:Reece Dodds
  • 14
  • 12
  • 5
  • +8
47 Comments
 
LVL 48

Assisted Solution

by:dbrunton
dbrunton earned 50 total points
ID: 35032494
Check this location in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

and see that it points to your Hosts file.
0
 
LVL 9

Expert Comment

by:AriMc
ID: 35032501
Wild idea: Are the ipconfig.exe sizes, dates and md5 hashes same on this computer and the others? Maybe the virus changed that and is returning the old saved values?

0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 35032507
0
 
LVL 7

Author Comment

by:Reece Dodds
ID: 35032590
thanks guys

laptop is on it's way to me now so i can work on it in person rather than remotely

i'll let you know of my findings
0
 
LVL 32

Expert Comment

by:aleghart
ID: 35032663
If you're getting hands-on, might be a good time to re-image or re-install the entire thing.  Much cleaner than cleaning up after malware and years of use.
0
 
LVL 22

Expert Comment

by:optoma
ID: 35032739
Any name on malware and what tools used to clean it?

If needed, run Combofix and post log here which maybe useful :)
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 7

Author Comment

by:Reece Dodds
ID: 35032789
just need to get it working for the solicitor to use over the remainder of this week and next.
we're purchasing him a new laptop prior to him going OS on the 20th.  Once he's gone i'll format the s**t out of the drive.

don't remember the name of the malware infection, it was a variant of the antivirus 2011 scareware type one.  it hijacked all his google search results, disabled security centre and symantec endpoint.
use fully updated malwarebytes in safe-mode to remove it.
plus ur standard IE8 reset, msconfig, disk cleanup etc.
0
 
LVL 22

Accepted Solution

by:
optoma earned 250 total points
ID: 35032958
Ok.
Can you run this quick scanner first before Combofix. Post logs for all :)
http://www.surfright.nl/en/hitmanpro Hitmanpro
0
 
LVL 3

Expert Comment

by:Yotefn
ID: 35033113
Check the following file:

c:\windows\system32\drivers\etc\hosts

for any entries other than the standard 127.0.0.1 localhost address.

Anything else in there will mess up dns.
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 150 total points
ID: 35034361
You could reset your hosts file via Hostsxpert:

http://www.funkytoad.com/index.php?option=com_content&id=13

Some malware will mess with the hosts file, or lock it so that you are denied access to edit it.

I recently helped an asker with this problem. See if the hosts file procedures here will help:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_26804419.html

Good luck!!!
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35036065
This is definitely a reminent of TDSS 3. Did the TDSS.sys driver get removed fully by MBAM? If not use unhackme to make sure. The rootkit installed by TDSS 3 was much harder to rid of even using MBAM. The new layer they goto install is a low level access. Makes it harder to detect if the scanner is not at boot sector level. MBAM is not designed to by default is not designed to scan boot sector. Unhackme is designed to run before any driver is loaded and creates a virtual sandbox for rootkit control. I prefer using this if there is a rootkit involved doing malware analysis myself in my lab. Those chinese hackers are at it again...Dang it! Here is the link http://www.greatis.com/unhackme/

Be sure to check the other experts comments closely and follow directions to the point. Malware disinfection is no joking business.

Knowledge for today:
Here it comes! Did you know that the developer of the rootkit liked reciting poetry? So says the poetic notes left in the binary they so thoughtfully left behind for analyists. They also like Homer Simpson!
0
 
LVL 38

Expert Comment

by:younghv
ID: 35036281
If you're going to blow away that computer and re-image it, you won't need these instructions, but you can save them for the next time one of your users gets infected.

NOTE: This is NOT one of the malware variants for which you should use MBAM in Safe Mode. Safe Mode is almost never recommended for MBAM and should always be followed with a "Normal Mode" scan.

(http://forums.malwarebytes.org/index.php?showtopic=17334&pid=89009&mode=threaded&start=#entry89009)

The actual removal steps for "AntiVirus System 2011" are here:

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011
0
 
LVL 8

Expert Comment

by:lancecurwensville
ID: 35036684
Winsock Fix.  
download, run, reboot when prompted.
This will reset hosts file and tcp/ip stack

http://www.snapfiles.com/get/winsockxpfix.html

0
 
LVL 7

Author Comment

by:Reece Dodds
ID: 35088592
finally got the system today...

Working through your posts 1by1.

@
dbrunton:Check this location in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

and see that it points to your Hosts file.

It points to %SystemRoot%\System32\drivers\etc which is normal.
0
 
LVL 7

Author Comment

by:Reece Dodds
ID: 35088672
@ SSharma:   Kapersky's TDSS killer found 0 threats.  Symantec's one is running now.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35088693
Note the actual title of the instructions at the link I gave you:

"Remove AntiVirus System 2011"
Based on what your user described, it would seem a good place to start.
*************

The actual removal steps for "AntiVirus System 2011" are here:

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011 
0
 
LVL 7

Author Comment

by:Reece Dodds
ID: 35088795
Whoa....  I just found the problem.

The malware set the hosts file as a system file, which was previously hidden on this computer and added another file called hosts which looked normal.

I found this because i deleted all files in the etc folder, and went to move clean ones accross from another computer but it said that the hosts file already exists.  size mismatch too! (the existing one was 2.7KB and the clean file i was moving was 773b)...

So i turned on show system files, and found the modified file.
Here is what it contains:


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
204.152.194.204 www.google.com 
204.152.194.204 google.com
204.152.194.204 google.com.au
204.152.194.204 www.google.com.au
204.152.194.204 google.be
204.152.194.204 www.google.be
204.152.194.204 google.com.br
204.152.194.204 www.google.com.br
204.152.194.204 google.ca
204.152.194.204 www.google.ca
204.152.194.204 google.ch
204.152.194.204 www.google.ch
204.152.194.204 google.de
204.152.194.204 www.google.de
204.152.194.204 google.dk
204.152.194.204 www.google.dk
204.152.194.204 google.fr
204.152.194.204 www.google.fr
204.152.194.204 google.ie
204.152.194.204 www.google.ie
204.152.194.204 google.it
204.152.194.204 www.google.it
204.152.194.204 google.co.jp
204.152.194.204 www.google.co.jp
204.152.194.204 google.nl
204.152.194.204 www.google.nl
204.152.194.204 google.no
204.152.194.204 www.google.no
204.152.194.204 google.co.nz
204.152.194.204 www.google.co.nz
204.152.194.204 google.pl
204.152.194.204 www.google.pl
204.152.194.204 google.se
204.152.194.204 www.google.se
204.152.194.204 google.co.uk
204.152.194.204 www.google.co.uk
204.152.194.204 google.co.za
204.152.194.204 www.google.co.za
204.152.194.204 www.google-analytics.com
204.152.194.204 www.bing.com
204.152.194.204 search.yahoo.com
204.152.194.204 www.search.yahoo.com
204.152.194.204 uk.search.yahoo.com
204.152.194.204 ca.search.yahoo.com
204.152.194.204 de.search.yahoo.com
204.152.194.204 fr.search.yahoo.com
204.152.194.204 au.search.yahoo.com
0
 
LVL 38

Expert Comment

by:younghv
ID: 35088833
OK - this the third time we've seen this on EE that I know of - all related to an infected router.

Similar symptoms - and of course, as soon as you clean the computer, it gets reinfected.

More to follow.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35088842
Try using this HOSTS file first - it might at least get you connecting.

http://www.mvps.org/winhelp2002/hosts.htm
0
 
LVL 7

Author Comment

by:Reece Dodds
ID: 35088894
the question is now... what services to i disable to be able to modify or delete the bad hosts file?

can i change the registry location of it?

@ youngv:  i hadn't got to your post yet.  don't fret, i will run your link anyway
0
 
LVL 38

Expert Comment

by:younghv
ID: 35088915
As a Techie, you probably already know this - but if you can't 'replace' it with the MVPS HOSTS file, you can simply delete the HOSTS file and re-boot.
Windows will recreate the generic one when the system comes back up.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35088932
Sorry - we're cross posting.

Strike my comment above about the router - I think this is just the plain old "AntiVirus System 2011"

Rkill will stop the malware processes:
http://www.bleepingcomputer.com/download/anti-virus/rkill
0
 
LVL 38

Expert Comment

by:younghv
ID: 35089037
"phototropic" was the first to mention the HOSTS file and suggest a replacement.
http:#a35034361

I apologize for overlooking that. He is a real pro at this stuff and you can trust his advice.

There are a couple of real garbage posts here that you should ignore.

"ComboFix", "TdssKiller", and "Hitmanpro" are NOT indicated for these symptoms.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 7

Author Comment

by:Reece Dodds
ID: 35089059
ok... i've somehow renamed the compromised hosts file to "hosts-bad".
I've moved all clean etc files into the laptop's etc folder.
restarted the computer and i can now access google, yahoo and all the other norms.

I still can't delete "hosts-bad" though... it says "Cannot delete hosts-bad: Access is denied.  Make sure that the disk is not full or write-protected and that the file is not currently in use." OK.

Just a note, this file is now a "system file" whereas a normal hosts file isn't.

Any ideas?
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 50 total points
ID: 35089073
You may have to re-boot to "Safe Mode", plus there are some hard-corps file deleters I have used in the past.

Try 'right-clicking' on that file, go to Properties, and "Take Ownership".

That might enable you do delete it without re-booting.
0
 
LVL 7

Author Comment

by:Reece Dodds
ID: 35089085
thanks mate...
hitmanpro is reporting that IE is using a proxy server on the PC:  127.0.0.1:25576

ignore?
0
 
LVL 38

Expert Comment

by:younghv
ID: 35089102
I would go into your networking properties (or IE) and remove the 'Proxy' check mark.
Picture to follow.
0
 
LVL 7

Author Comment

by:Reece Dodds
ID: 35089150
dude... i know where that is... if you read my O.P i said that there is no proxy settings there at all.
anyways... i've ignored hitmanpro's suggestion.

rebooted into safe-mode.  I already have ownership of the hosts-bad file, but the permissions were set to read-only.  I changed to full control, deleted the file, rebooted and so far, all seems well.

thanks.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35089156
Pictures Tools Options in IE LAN Settings
0
 
LVL 38

Expert Comment

by:younghv
ID: 35089163
Oops!
I'll save those pics for someone who needs them.
Forgot to refresh my damn screen.
0
 
LVL 7

Author Comment

by:Reece Dodds
ID: 35089190
all seems well.  one thing though...

i did another reset of IE8 and it keeps putting a freaking ebay url as the homepage.  any ideas what is causing this?
0
 
LVL 9

Expert Comment

by:AriMc
ID: 35089219
In this scenario I'd also seriously consider backing up the vital data on the user's computer, then simply wipe the hard disk and reinstalling everything.

This is what sometimes happens to Windows.

0
 
LVL 38

Expert Comment

by:younghv
ID: 35089240
The last thing I saw was that you ran "HitmanPro" (which is not really indicated for this) - but have you yet gone through the detailed instructions at the link I posted?
**************

AriMc - read the Asker's comment here: http:#a35032789 - the idea is to get the computer functioning and back to the user.

Format/reinstall is planned for the future.
0
 
LVL 7

Author Comment

by:Reece Dodds
ID: 35089242
He is getting a new laptop within the week as he goes to europe on the 20th.
After he goes and leaves me with this STD machine, i will be doing a full rebuild before passing on to a more cautious staff member...
0
 
LVL 22

Expert Comment

by:optoma
ID: 35089281
I wouldn't leave that proxy setting. BTW , what software firewall is in use?
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35089338
@Reecem27, check to see if you have files named ssta5 or similar in your windows\temp, system32, and last system32\prefetch folder the recent rootkit that is starting to spread is using these locations to store vital files for it run. Just curious if this is the same kit used. It does a few thighs different then the past rootkits.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35089356
I forgot to add there will also be file names user with random characters like 2g6gjddj.exe.179ah not your normal polymorphic file name variation.
0
 
LVL 9

Expert Comment

by:AriMc
ID: 35089408
younghv: Sometimes it's (at least financially speaking) better to just start over instead of spending dozens of hours on a simple laptop with a serious problem.

I mean: a soliciter probably has a number of his/her own documents on the computer and nothing else that can't be easily replaced with a fresh install. Even a  new medium range laptop costs just about 2 hours of work of a professional computer technician, so what's the point of trying to find the root cause of it?
(academic interest would be a valid point, but not viable in a commercial
environment).





0
 
LVL 7

Author Comment

by:Reece Dodds
ID: 35089541
@ AriMc and younghv:  as any tech knows, you always try for a quick fix... if that fails or is starting to use too much time, rebuild the damn thing!

So yeah, i was looking for a suggestion or utility that would fix the issue without spending hours of reading up on how to use the program or reprogramming the matrix...  if they were unsuccessful, i'd backup, wipe and reinstall.  

That said, as i mentioned in my first post today younghv, i'd received such an overwhelming list of suggestions, i thought it best to work through them in FIFO method (first-in-first-out).  Hitmanpro was suggestion 3.

I'm about to close this question, and credit will go to what i feel the best suggestion that led to my compromised hosts file discovery was.

many of these posts were redundant because they were suggesting that i check something i'd already done and stated in the OP.
0
 
LVL 22

Expert Comment

by:optoma
ID: 35089591
Just dont forget to remove the proxy using Hitmanpro or Hijakthis, if present as it stands and if using windows firewall, check the exceptions tab entries :)
0
 
LVL 7

Author Closing Comment

by:Reece Dodds
ID: 35089599
It was Hitmanpro that made me doubletake on the hosts file situation, Phototropic's idea of resetting it that gave me the idea of using the etc folder from another PC, and younghv's help that allowed me to remove the hosts-bad file.

Thanks again for everyone's input.
0
 
LVL 22

Expert Comment

by:optoma
ID: 35089616
No prob reecem27.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 35089645
I've been off-line all day - sorry not to get back to you.

Glad to hear that your problem is resolved.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35089777
Anyways... I would suggest you keep track of your internet traffic with snort and lswt rules looking for traffic coming from that proxy address:port and the router address and see if you get any hit traffic if you do the problem may persist and there may be reason to reset the router to default settings after backing up settings, update, and then reconfigure, next all you can do is hope the update is not flawed as well.
0
 
LVL 7

Author Comment

by:Reece Dodds
ID: 35089877
not to worry Russell... we run a Juniper hardware firewall and I most definately do not have that port open.  I'm a network nazi during office hours.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35089906
Sounds good =) hope all is well then
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now