Probable virus redirecting DNS queries

sdl;kfj · Jan 30, 2009

I'm pretty sure I'm dealing with a virus here, but it has me stumped. I've
run several of the majoy anti-virus, anti-malware programs available and
they did clean up quite a bit. However, I've still got one nagging problem.
All DNS requests for anti-virus sites return 127.0.0.1 (ping, tracert,
browser lookups, etc.) NSLookup yeilds the correct IP address. I've checked
and double checked the hosts and lmhosts file. They were at their defaults.
I've even tried adding my own entries into the hosts file and they were
ignored. (Yes, I've made sure that there is no extension on the hosts file.)
I don't know where else to look for anyting that will answer DNS queries.

Any help you could provide would be appreciated.

Ken

Elmo · Jan 30, 2009

sdl;kfj said:
I'm pretty sure I'm dealing with a virus here, but it has me stumped. I've
run several of the major anti-virus, anti-malware programs available and
they did clean up quite a bit. However, I've still got one nagging problem.
All DNS requests for anti-virus sites return 127.0.0.1 (ping, tracert,
browser lookups, etc.) NSLookup yields the correct IP address. I've checked
and double checked the hosts and lmhosts file. They were at their defaults.
I've even tried adding my own entries into the hosts file and they were
ignored. (Yes, I've made sure that there is no extension on the hosts file.)
I don't know where else to look for anything that will answer DNS queries.

Any help you could provide would be appreciated.

Ken

A Google search netted this possible cause/solution:

http://www.mihaiu.name/2005/windows-hosts-file-ignored/

1PW · Jan 30, 2009

I'm pretty sure I'm dealing with a virus here, but it has me stumped. I've
run several of the major anti-virus, anti-malware programs available and
they did clean up quite a bit. However, I've still got one nagging problem.
All DNS requests for anti-virus sites return 127.0.0.1 (ping, tracert,
browser lookups, etc.) NSLookup yields the correct IP address. I've checked
and double checked the hosts and lmhosts file. They were at their defaults.
I've even tried adding my own entries into the hosts file and they were
ignored. (Yes, I've made sure that there is no extension on the hosts file.)
I don't know where else to look for anything that will answer DNS queries.

Any help you could provide would be appreciated.

Ken

Hello Ken:

At least some likelihood exists that you are still infected with a
"DNSChanger" Trojan or variant.

Please reply with all manner of details that would help us to help you:

What exact OS are you using. What /are/ *ALL* the antimalware programs
you tried.

Some would have you "level and rebuild". However, some antimalware
solutions may further assist you in making that decision.

Are you familiar with MBAM and/or SAS?

Best wishes to you Ken.

Pete

The Real Truth MVP · Jan 30, 2009

Use my Remove-it software, it will remove that malware from your system.
Choose yes for all options when prompted. Download it here
http://pcbutts1.com/downloads/tools/tools.htm

sdl;kfj · Jan 31, 2009

Elmo said:
A Google search netted this possible cause/solution:

http://www.mihaiu.name/2005/windows-hosts-file-ignored/

Man, I really hoped that had been it. I kinda thought that there must be
some registry entry that pointed to the hosts file, but I couldn't find it.
Anyway, I checked mine and it is set correctly. It must be something else.

Thanks anyway,
Ken

sdl;kfj · Jan 31, 2009

1PW said:
Hello Ken:

At least some likelihood exists that you are still infected with a
"DNSChanger" Trojan or variant.

Please reply with all manner of details that would help us to help you:

What exact OS are you using. What /are/ *ALL* the antimalware programs
you tried.

Some would have you "level and rebuild". However, some antimalware
solutions may further assist you in making that decision.

Are you familiar with MBAM and/or SAS?

Best wishes to you Ken.

Pete

Sorry about that...
I'm running XP Pro SP2. I've run AVG 8.0, AntiVir, MBAM, Spybot S&D, and
Ad-Aware. I've never heard of SAS. I'll look for it and give it a try.

Thank for your help
Ken

sdl;kfj · Jan 31, 2009

1PW said:
Hello Ken:

At least some likelihood exists that you are still infected with a
"DNSChanger" Trojan or variant.

Please reply with all manner of details that would help us to help you:

What exact OS are you using. What /are/ *ALL* the antimalware programs
you tried.

Some would have you "level and rebuild". However, some antimalware
solutions may further assist you in making that decision.

Are you familiar with MBAM and/or SAS?

Best wishes to you Ken.

Pete

It turned out to be a rootkit. SAS (SuperAntiSpyware) caught it and cleaned
it up.

Thanks for all your help.

Ken

Buffalo · Jan 31, 2009

sdl;kfj wrote:
[snip]

It turned out to be a rootkit. SAS (SuperAntiSpyware) caught it and
cleaned it up.

Thanks for all your help.

Ken

Thanks for posting the rememdy and problem.
SAS and MBAM are two great free programs that catch and correct most malware
when used together (one at a time).
Buffalo

1PW · Feb 1, 2009

It turned out to be a rootkit. SAS (SuperAntiSpyware) caught it and cleaned
it up.

Thanks for all your help.

Ken

Hello Ken:

We are collectively happy for you. Buffalo is right on - we are very
pleased with SAS & MBAM.

Did SUPERAntiSpyware identify the malware specifically by name? Its
logs may have this if you don't remember.

Some will caution that your system may *NOT* have completely been
sanitized, and they may be unquestionably correct.

Proceed at your risk. At the very minimum, your system /may/ at least
be able to do a selective backup of your data files prior to "level and
rebuild". YMMV

Please don't thank just me - please thank those whose shoulders I stand
upon.

Good wishes to you,

Pete

Kayman · Feb 1, 2009

It turned out to be a rootkit. SAS (SuperAntiSpyware) caught it and cleaned
it up.

It wouldn't hurt to create a HJT log and post it to an appropriate forum
for expert examination.

Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Please, do not post HJT logs to this newsgroup.

Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

Additional Information:
GMER - is an application that detects and removes rootkits.
http://www.gmer.net/index.php
http://antirootkit.com/forums/index.php?sid=9e746bb696ac0bb38781ffe4361c3a17

Good luck

Virus stopping dns from finding ip address	1	Jan 7, 2009
Ping resolves, nslookup doesn't even get to the dns server	4	Feb 22, 2007
Serious search problem	7	May 29, 2007
AOL Active Virus Shield Update Problem	1	Sep 4, 2007
DNS queries in Windows XP Professional (SP2)	7	Mar 22, 2006
I need to monitor the DNS requests a program makes	4	Sep 10, 2008
VPN DNS issues	8	Jan 19, 2008
How to truly disable Windows Update	0	Dec 4, 2011

Probable virus redirecting DNS queries

sdl;kfj

Elmo

1PW

The Real Truth MVP

sdl;kfj

sdl;kfj

sdl;kfj

Buffalo

1PW

Kayman

Ask a Question

Similar Threads