R
Ron Kinner
Just got a HijackThis log from someone on the forum who
said AntiSpy didn't find anything but they kept getting
unexpected results. They didn't really have much in their
log except multiple DNS hijackers.
O17 - HKLM\System\CCS\Services\Tcpip\..\{670984D9-8A85-
4B48-8117-43465288EC5D}: NameServer =
69.50.188.180,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{76637F5D-C128-
4857-B70B-AA5EF792CB74}: NameServer = 64.63.204.6
64.63.205.6
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer =
69.50.188.180,195.225.176.37
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer =
69.50.188.180,195.225.176.37
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer =
69.50.188.180,195.225.176.37
If you look up the IP addresses in
http://www.arin.net/index.html and
http://www.ripe.net/whois you will find some strange
people providing DNS services for a US based PC.
69.50.188.180 is atrivo.com, a well know spam sender's
haven in San Francisco.
195.225.176.37 is in the Ukraine!:
person: Vsevolod Stetsinsky
address: 01110, Ukraine, Kiev, 20Á, Solomenskaya
street. room 206.
64.63.204.6 is client6.fsfo1.hawkcommunications.com =
Hawk Communications in Atlanta the same people who offer
JOI low cost dialup service. Appears to be a legitimate
entry but even so not needed.
Since most people use DHCP to get their IP address and DNS
servers from their ISP, any fixed DNS entry is suspicious
and should at least be flagged by AntiSpy.
For those of you who are curious about a DNS hijacker and
how it works: Normally when you type in a URL like
att.com the name means nothing to your PC. In order to
send a message to att.com on the Internet it needs to know
the IP address (equivalent to its telephone number and
usually written A.B.C.D where the letters stand for
numbers between 0 and 255 with a few restrictions). It
usually gets this by asking a Domain Name Server or DNS.
How does it know which DNS to use? When you log on to an
ISP it usually assigns your PC its own IP address and at
the same time tells it the IP address of the DNS server.
So if all works well the DNS responds with the correct IP
address and the connection is made. What the malware does
is tell your PC that the IP address of the DNS is
something else. Now when you ask for att.com instead of
giving you the correct 192.20.5.55 it can give you
anything it wants to. It may give you the correct address
most of the time and just replace the IP address on
certain search sites if it's the usually adware/spyware or
just keep a record of what sites you ask for so it can
send you popups or other ads but it can also give out a
wrong address for a financial site like citybank.com and
the wrong address might be a server which has a webpage
which looks exactly like city bank's. You happily log in
and try and access your account and get some error message
but now they have your passwords and account number and
can clean you out.
Ron Kinner MVP 2004
said AntiSpy didn't find anything but they kept getting
unexpected results. They didn't really have much in their
log except multiple DNS hijackers.
O17 - HKLM\System\CCS\Services\Tcpip\..\{670984D9-8A85-
4B48-8117-43465288EC5D}: NameServer =
69.50.188.180,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{76637F5D-C128-
4857-B70B-AA5EF792CB74}: NameServer = 64.63.204.6
64.63.205.6
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer =
69.50.188.180,195.225.176.37
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer =
69.50.188.180,195.225.176.37
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer =
69.50.188.180,195.225.176.37
If you look up the IP addresses in
http://www.arin.net/index.html and
http://www.ripe.net/whois you will find some strange
people providing DNS services for a US based PC.
69.50.188.180 is atrivo.com, a well know spam sender's
haven in San Francisco.
195.225.176.37 is in the Ukraine!:
person: Vsevolod Stetsinsky
address: 01110, Ukraine, Kiev, 20Á, Solomenskaya
street. room 206.
64.63.204.6 is client6.fsfo1.hawkcommunications.com =
Hawk Communications in Atlanta the same people who offer
JOI low cost dialup service. Appears to be a legitimate
entry but even so not needed.
Since most people use DHCP to get their IP address and DNS
servers from their ISP, any fixed DNS entry is suspicious
and should at least be flagged by AntiSpy.
For those of you who are curious about a DNS hijacker and
how it works: Normally when you type in a URL like
att.com the name means nothing to your PC. In order to
send a message to att.com on the Internet it needs to know
the IP address (equivalent to its telephone number and
usually written A.B.C.D where the letters stand for
numbers between 0 and 255 with a few restrictions). It
usually gets this by asking a Domain Name Server or DNS.
How does it know which DNS to use? When you log on to an
ISP it usually assigns your PC its own IP address and at
the same time tells it the IP address of the DNS server.
So if all works well the DNS responds with the correct IP
address and the connection is made. What the malware does
is tell your PC that the IP address of the DNS is
something else. Now when you ask for att.com instead of
giving you the correct 192.20.5.55 it can give you
anything it wants to. It may give you the correct address
most of the time and just replace the IP address on
certain search sites if it's the usually adware/spyware or
just keep a record of what sites you ask for so it can
send you popups or other ads but it can also give out a
wrong address for a financial site like citybank.com and
the wrong address might be a server which has a webpage
which looks exactly like city bank's. You happily log in
and try and access your account and get some error message
but now they have your passwords and account number and
can clean you out.
Ron Kinner MVP 2004