XP DNS Hijack / Redirection

[Fred Marshall]

Windows XP / Not a newbie:
No matter the application: IE, Opera, PING
All go to IP address 208.254.3.169 - buydomains.com
....as long as the URL given is
www.[any_nonsense_name_here].net
or
www.[any_nonsense_name_here].org

[This does not happen with .com URLs.]

So, it appears this is a DNS hijack.
The only DNS addresses listed in TCP/IP are two ISP DNS servers.
They don't resolve these unassigned names to the offending IP address.
Other computers using the same DNS servers don't show this redirection.

So, it definitely appears that the problem is local to the client computer.

Ad-Aware and Spybot S&D have both been used / updated / show nothing.

Previous HijackThis! logs have been posted with no apparent problems.

hosts files appear to be clean

the IP address does not show up in a Registry search, nor the name
"buydomains"

The source file for the page that appears contains:
<link REL="SHORTCUT ICON" HREF="/favicon.ico">
<title>««·´¯º·¸_BuyDomains.com_¸·º¯`·»» - Discount domain registration, DNS,
domain brokerage, domain appraisal and transfer, and Web hosting : </title>

...... for what that's worth.

I have two key questions:

1) How can DNS behavior be investigated / cleaned up?

2) How can problems like this hijack be elevated to folks who make it their
business to deal with threats? I don't seem to be able to generate any
interest in this issue.

Thanks in advance,

Fred

 

[Toxxic]

You could alwyas just format and upon reinstall stay away
from where ever it was you picked up the spyware. Even
though Spybot never caught it, that doesn't mean
your 'puter isn't still infected.

 

[Wildman]

Fred,
You might take a look at your browser helper objects. You may have a rogue
BHO. The rogue BHO wouldn't be visible in the registry by either the suspect
domain name or IP necessarily, since the BHO registry entry executes
(whenever an Internet browser is invoked/executed) a dll usually in
windows\system32 folder, and that may have binary coding for the behavior
noted (as does the Morpheus Browser Helper discussed in an MS KB article
dealing with that issue). With IE on XP you can see them in registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelperObjects
\

I don't know if BHODemon is still available (great free download), you might
look for that (helps you to locate, identify [as some are good] and disable
BHOs). Another test for BHO-related mischief is to simply disable support
for 3rd party browser extensions in Internet Options-->Advanced under
"Browsing" and reboot--see if the behavior stops.

Have you taken a look at ipconfig /displaydns to see the contents of the DNS
resolver cache? It might point you to a rogue DNS name server on your own
computer. You can also flush the DNS cache with ipconfig /flushdns.

I assume, as far as DNS exam, that you used nslookup on the listed ISP DNS
servers when you say you found they didn't resolve unassigned names to the
offending IP.

Good hunting.

Windows XP / Not a newbie:
No matter the application: IE, Opera, PING
All go to IP address 208.254.3.169 - buydomains.com
...as long as the URL given is
www.[any_nonsense_name_here].net
or
www.[any_nonsense_name_here].org

[This does not happen with .com URLs.]

So, it appears this is a DNS hijack.
The only DNS addresses listed in TCP/IP are two ISP DNS servers.
They don't resolve these unassigned names to the offending IP address.
Other computers using the same DNS servers don't show this redirection.

So, it definitely appears that the problem is local to the client computer.

Ad-Aware and Spybot S&D have both been used / updated / show nothing.

Previous HijackThis! logs have been posted with no apparent problems.

hosts files appear to be clean

the IP address does not show up in a Registry search, nor the name
"buydomains"

The source file for the page that appears contains:
<link REL="SHORTCUT ICON" HREF="/favicon.ico">
<title>««·´¯º·¸_BuyDomains.com_¸·º¯`·»» - Discount domain registration, DNS,
domain brokerage, domain appraisal and transfer, and Web hosting :

 

[Guest]

-----Original Message-----

You could alwyas just format and upon reinstall stay away
from where ever it was you picked up the spyware. Even
though Spybot never caught it, that doesn't mean
your 'puter isn't still infected.
.