Solved

can't access google... suspect DNS

Posted on 2011-03-03
47
1,167 Views
Last Modified: 2013-11-22
one of our staff has got themselves a nasty malware infection.  I've since removed it and the computer is functioning ok again except google (and yahoo).
It doesn't matter which browser is used, google "can not be found" and yahoo loads, but no search results work.
If i ping the urls, they resolve to something quite different from other PC's in the office.
I thought, maybe the malware put a dummy proxy in - nothing found.
So maybe it changed the hosts file - all looks normal.
So i did ipconfig /all - settings (except ip) are identical to the other pc's.
So i did ipconfig /flushdns - didn't help.

Where else in Win XP (SP3) can settings be changed to cause these problems?
0
Comment
Question by:Reece Dodds
  • 14
  • 12
  • 5
  • +8
47 Comments
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 50 total points
Comment Utility
Check this location in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

and see that it points to your Hosts file.
0
 
LVL 9

Expert Comment

by:AriMc
Comment Utility
Wild idea: Are the ipconfig.exe sizes, dates and md5 hashes same on this computer and the others? Maybe the virus changed that and is returning the old saved values?

0
 
LVL 29

Expert Comment

by:Sudeep Sharma
Comment Utility
0
 
LVL 7

Author Comment

by:Reece Dodds
Comment Utility
thanks guys

laptop is on it's way to me now so i can work on it in person rather than remotely

i'll let you know of my findings
0
 
LVL 32

Expert Comment

by:aleghart
Comment Utility
If you're getting hands-on, might be a good time to re-image or re-install the entire thing.  Much cleaner than cleaning up after malware and years of use.
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
Any name on malware and what tools used to clean it?

If needed, run Combofix and post log here which maybe useful :)
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 7

Author Comment

by:Reece Dodds
Comment Utility
just need to get it working for the solicitor to use over the remainder of this week and next.
we're purchasing him a new laptop prior to him going OS on the 20th.  Once he's gone i'll format the s**t out of the drive.

don't remember the name of the malware infection, it was a variant of the antivirus 2011 scareware type one.  it hijacked all his google search results, disabled security centre and symantec endpoint.
use fully updated malwarebytes in safe-mode to remove it.
plus ur standard IE8 reset, msconfig, disk cleanup etc.
0
 
LVL 22

Accepted Solution

by:
optoma earned 250 total points
Comment Utility
Ok.
Can you run this quick scanner first before Combofix. Post logs for all :)
http://www.surfright.nl/en/hitmanpro Hitmanpro
0
 
LVL 3

Expert Comment

by:Yotefn
Comment Utility
Check the following file:

c:\windows\system32\drivers\etc\hosts

for any entries other than the standard 127.0.0.1 localhost address.

Anything else in there will mess up dns.
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 150 total points
Comment Utility
You could reset your hosts file via Hostsxpert:

http://www.funkytoad.com/index.php?option=com_content&id=13

Some malware will mess with the hosts file, or lock it so that you are denied access to edit it.

I recently helped an asker with this problem. See if the hosts file procedures here will help:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_26804419.html

Good luck!!!
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
This is definitely a reminent of TDSS 3. Did the TDSS.sys driver get removed fully by MBAM? If not use unhackme to make sure. The rootkit installed by TDSS 3 was much harder to rid of even using MBAM. The new layer they goto install is a low level access. Makes it harder to detect if the scanner is not at boot sector level. MBAM is not designed to by default is not designed to scan boot sector. Unhackme is designed to run before any driver is loaded and creates a virtual sandbox for rootkit control. I prefer using this if there is a rootkit involved doing malware analysis myself in my lab. Those chinese hackers are at it again...Dang it! Here is the link http://www.greatis.com/unhackme/

Be sure to check the other experts comments closely and follow directions to the point. Malware disinfection is no joking business.

Knowledge for today:
Here it comes! Did you know that the developer of the rootkit liked reciting poetry? So says the poetic notes left in the binary they so thoughtfully left behind for analyists. They also like Homer Simpson!
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
If you're going to blow away that computer and re-image it, you won't need these instructions, but you can save them for the next time one of your users gets infected.

NOTE: This is NOT one of the malware variants for which you should use MBAM in Safe Mode. Safe Mode is almost never recommended for MBAM and should always be followed with a "Normal Mode" scan.

(http://forums.malwarebytes.org/index.php?showtopic=17334&pid=89009&mode=threaded&start=#entry89009)

The actual removal steps for "AntiVirus System 2011" are here:

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011
0
 
LVL 8

Expert Comment

by:lancecurwensville
Comment Utility
Winsock Fix.  
download, run, reboot when prompted.
This will reset hosts file and tcp/ip stack

http://www.snapfiles.com/get/winsockxpfix.html

0
 
LVL 7

Author Comment

by:Reece Dodds
Comment Utility
finally got the system today...

Working through your posts 1by1.

@
dbrunton:Check this location in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

and see that it points to your Hosts file.

It points to %SystemRoot%\System32\drivers\etc which is normal.
0
 
LVL 7

Author Comment

by:Reece Dodds
Comment Utility
@ SSharma:   Kapersky's TDSS killer found 0 threats.  Symantec's one is running now.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Note the actual title of the instructions at the link I gave you:

"Remove AntiVirus System 2011"
Based on what your user described, it would seem a good place to start.
*************

The actual removal steps for "AntiVirus System 2011" are here:

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011
0
 
LVL 7

Author Comment

by:Reece Dodds
Comment Utility
Whoa....  I just found the problem.

The malware set the hosts file as a system file, which was previously hidden on this computer and added another file called hosts which looked normal.

I found this because i deleted all files in the etc folder, and went to move clean ones accross from another computer but it said that the hosts file already exists.  size mismatch too! (the existing one was 2.7KB and the clean file i was moving was 773b)...

So i turned on show system files, and found the modified file.
Here is what it contains:


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
204.152.194.204 www.google.com
204.152.194.204 google.com
204.152.194.204 google.com.au
204.152.194.204 www.google.com.au
204.152.194.204 google.be
204.152.194.204 www.google.be
204.152.194.204 google.com.br
204.152.194.204 www.google.com.br
204.152.194.204 google.ca
204.152.194.204 www.google.ca
204.152.194.204 google.ch
204.152.194.204 www.google.ch
204.152.194.204 google.de
204.152.194.204 www.google.de
204.152.194.204 google.dk
204.152.194.204 www.google.dk
204.152.194.204 google.fr
204.152.194.204 www.google.fr
204.152.194.204 google.ie
204.152.194.204 www.google.ie
204.152.194.204 google.it
204.152.194.204 www.google.it
204.152.194.204 google.co.jp
204.152.194.204 www.google.co.jp
204.152.194.204 google.nl
204.152.194.204 www.google.nl
204.152.194.204 google.no
204.152.194.204 www.google.no
204.152.194.204 google.co.nz
204.152.194.204 www.google.co.nz
204.152.194.204 google.pl
204.152.194.204 www.google.pl
204.152.194.204 google.se
204.152.194.204 www.google.se
204.152.194.204 google.co.uk
204.152.194.204 www.google.co.uk
204.152.194.204 google.co.za
204.152.194.204 www.google.co.za
204.152.194.204 www.google-analytics.com
204.152.194.204 www.bing.com
204.152.194.204 search.yahoo.com
204.152.194.204 www.search.yahoo.com
204.152.194.204 uk.search.yahoo.com
204.152.194.204 ca.search.yahoo.com
204.152.194.204 de.search.yahoo.com
204.152.194.204 fr.search.yahoo.com
204.152.194.204 au.search.yahoo.com
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
OK - this the third time we've seen this on EE that I know of - all related to an infected router.

Similar symptoms - and of course, as soon as you clean the computer, it gets reinfected.

More to follow.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Try using this HOSTS file first - it might at least get you connecting.

http://www.mvps.org/winhelp2002/hosts.htm
0
 
LVL 7

Author Comment

by:Reece Dodds
Comment Utility
the question is now... what services to i disable to be able to modify or delete the bad hosts file?

can i change the registry location of it?

@ youngv:  i hadn't got to your post yet.  don't fret, i will run your link anyway
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
As a Techie, you probably already know this - but if you can't 'replace' it with the MVPS HOSTS file, you can simply delete the HOSTS file and re-boot.
Windows will recreate the generic one when the system comes back up.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Sorry - we're cross posting.

Strike my comment above about the router - I think this is just the plain old "AntiVirus System 2011"

Rkill will stop the malware processes:
http://www.bleepingcomputer.com/download/anti-virus/rkill
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
"phototropic" was the first to mention the HOSTS file and suggest a replacement.
http:#a35034361

I apologize for overlooking that. He is a real pro at this stuff and you can trust his advice.

There are a couple of real garbage posts here that you should ignore.

"ComboFix", "TdssKiller", and "Hitmanpro" are NOT indicated for these symptoms.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 7

Author Comment

by:Reece Dodds
Comment Utility
ok... i've somehow renamed the compromised hosts file to "hosts-bad".
I've moved all clean etc files into the laptop's etc folder.
restarted the computer and i can now access google, yahoo and all the other norms.

I still can't delete "hosts-bad" though... it says "Cannot delete hosts-bad: Access is denied.  Make sure that the disk is not full or write-protected and that the file is not currently in use." OK.

Just a note, this file is now a "system file" whereas a normal hosts file isn't.

Any ideas?
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 50 total points
Comment Utility
You may have to re-boot to "Safe Mode", plus there are some hard-corps file deleters I have used in the past.

Try 'right-clicking' on that file, go to Properties, and "Take Ownership".

That might enable you do delete it without re-booting.
0
 
LVL 7

Author Comment

by:Reece Dodds
Comment Utility
thanks mate...
hitmanpro is reporting that IE is using a proxy server on the PC:  127.0.0.1:25576

ignore?
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
I would go into your networking properties (or IE) and remove the 'Proxy' check mark.
Picture to follow.
0
 
LVL 7

Author Comment

by:Reece Dodds
Comment Utility
dude... i know where that is... if you read my O.P i said that there is no proxy settings there at all.
anyways... i've ignored hitmanpro's suggestion.

rebooted into safe-mode.  I already have ownership of the hosts-bad file, but the permissions were set to read-only.  I changed to full control, deleted the file, rebooted and so far, all seems well.

thanks.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Pictures Tools Options in IE LAN Settings
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Oops!
I'll save those pics for someone who needs them.
Forgot to refresh my damn screen.
0
 
LVL 7

Author Comment

by:Reece Dodds
Comment Utility
all seems well.  one thing though...

i did another reset of IE8 and it keeps putting a freaking ebay url as the homepage.  any ideas what is causing this?
0
 
LVL 9

Expert Comment

by:AriMc
Comment Utility
In this scenario I'd also seriously consider backing up the vital data on the user's computer, then simply wipe the hard disk and reinstalling everything.

This is what sometimes happens to Windows.

0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
The last thing I saw was that you ran "HitmanPro" (which is not really indicated for this) - but have you yet gone through the detailed instructions at the link I posted?
**************

AriMc - read the Asker's comment here: http:#a35032789 - the idea is to get the computer functioning and back to the user.

Format/reinstall is planned for the future.
0
 
LVL 7

Author Comment

by:Reece Dodds
Comment Utility
He is getting a new laptop within the week as he goes to europe on the 20th.
After he goes and leaves me with this STD machine, i will be doing a full rebuild before passing on to a more cautious staff member...
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
I wouldn't leave that proxy setting. BTW , what software firewall is in use?
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
@Reecem27, check to see if you have files named ssta5 or similar in your windows\temp, system32, and last system32\prefetch folder the recent rootkit that is starting to spread is using these locations to store vital files for it run. Just curious if this is the same kit used. It does a few thighs different then the past rootkits.
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
I forgot to add there will also be file names user with random characters like 2g6gjddj.exe.179ah not your normal polymorphic file name variation.
0
 
LVL 9

Expert Comment

by:AriMc
Comment Utility
younghv: Sometimes it's (at least financially speaking) better to just start over instead of spending dozens of hours on a simple laptop with a serious problem.

I mean: a soliciter probably has a number of his/her own documents on the computer and nothing else that can't be easily replaced with a fresh install. Even a  new medium range laptop costs just about 2 hours of work of a professional computer technician, so what's the point of trying to find the root cause of it?
(academic interest would be a valid point, but not viable in a commercial
environment).





0
 
LVL 7

Author Comment

by:Reece Dodds
Comment Utility
@ AriMc and younghv:  as any tech knows, you always try for a quick fix... if that fails or is starting to use too much time, rebuild the damn thing!

So yeah, i was looking for a suggestion or utility that would fix the issue without spending hours of reading up on how to use the program or reprogramming the matrix...  if they were unsuccessful, i'd backup, wipe and reinstall.  

That said, as i mentioned in my first post today younghv, i'd received such an overwhelming list of suggestions, i thought it best to work through them in FIFO method (first-in-first-out).  Hitmanpro was suggestion 3.

I'm about to close this question, and credit will go to what i feel the best suggestion that led to my compromised hosts file discovery was.

many of these posts were redundant because they were suggesting that i check something i'd already done and stated in the OP.
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
Just dont forget to remove the proxy using Hitmanpro or Hijakthis, if present as it stands and if using windows firewall, check the exceptions tab entries :)
0
 
LVL 7

Author Closing Comment

by:Reece Dodds
Comment Utility
It was Hitmanpro that made me doubletake on the hosts file situation, Phototropic's idea of resetting it that gave me the idea of using the etc folder from another PC, and younghv's help that allowed me to remove the hosts-bad file.

Thanks again for everyone's input.
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
No prob reecem27.
0
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
I've been off-line all day - sorry not to get back to you.

Glad to hear that your problem is resolved.
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Anyways... I would suggest you keep track of your internet traffic with snort and lswt rules looking for traffic coming from that proxy address:port and the router address and see if you get any hit traffic if you do the problem may persist and there may be reason to reset the router to default settings after backing up settings, update, and then reconfigure, next all you can do is hope the update is not flawed as well.
0
 
LVL 7

Author Comment

by:Reece Dodds
Comment Utility
not to worry Russell... we run a Juniper hardware firewall and I most definately do not have that port open.  I'm a network nazi during office hours.
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Sounds good =) hope all is well then
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now