Question

  • Creator
    Topic
  • #2231811

    DNS

    by ramuvr ·

    I have a Windows XP SP2 PC with regular updates. I had an issue one month back, when my ISP stopped providing me access to Google websites. I changed the network settings of my internet connection and used OpenDNS instead. It worked fine until last week when I ran ipconfig /displaydns on my PC. I got the followin result :

    -----------------------------------------------
    file7.qqhelper.com
    ----------------------------------------
    Record Name . . . . . : file7.qqhelper.com
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    www.forseo.com
    ----------------------------------------
    Record Name . . . . . : www.forseo.com
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    www.frostwire.click-new-download.com
    ----------------------------------------
    Record Name . . . . . : www.frostwire.click-new-
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    frostwire.click-new-download.com
    ----------------------------------------
    Record Name . . . . . : frostwire.click-new-down
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    www.antispywarexp.com
    ----------------------------------------
    Record Name . . . . . : www.antispywarexp.com
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    americanautobargains.com
    ----------------------------------------
    Record Name . . . . . : americanautobargains.com
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    www.nicecodec.net
    ----------------------------------------
    Record Name . . . . . : www.nicecodec.net
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    www.harddrevvagt.com
    ----------------------------------------
    Record Name . . . . . : www.harddrevvagt.com
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    virgiio.it
    ----------------------------------------
    Record Name . . . . . : virgiio.it
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    www.virdgilio.it
    ----------------------------------------
    Record Name . . . . . : www.virdgilio.it
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    www.tuttograatis.it
    ----------------------------------------
    Record Name . . . . . : www.tuttograatis.it
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    spywarebot-t.com
    ----------------------------------------
    Record Name . . . . . : spywarebot-t.com
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    spermatrix.com
    ----------------------------------------
    Record Name . . . . . : spermatrix.com
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    www.searchfromyourbrowser.net
    ----------------------------------------
    Record Name . . . . . : www.searchfromyourbrowse
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    www.rosaoalice.it
    ----------------------------------------
    Record Name . . . . . : www.rosaoalice.it
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    paginegialler.it
    ----------------------------------------
    Record Name . . . . . : paginegialler.it
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    www.mylimewirenetwork.com
    ----------------------------------------
    Record Name . . . . . : www.mylimewirenetwork.co
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    liberok.it
    ----------------------------------------
    Record Name . . . . . : liberok.it
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    www.l8bero.it
    ----------------------------------------
    Record Name . . . . . : www.l8bero.it
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    www.justcount.net
    ----------------------------------------
    Record Name . . . . . : www.justcount.net
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    internet-optimizer.com
    ----------------------------------------
    Record Name . . . . . : internet-optimizer.com
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    httpwwwads.com
    ----------------------------------------
    Record Name . . . . . : httpwwwads.com
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    www.errari.it
    ----------------------------------------
    Record Name . . . . . : www.errari.it
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    www.energy-factor.com
    ----------------------------------------
    Record Name . . . . . : www.energy-factor.com
    Record Type . . . . . : 1
    Time To Live . . . . : 602582
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
    
    Section . . . . . . . : Answer
    -----------------------------------------------

    I can see that most of the websites stated are spam or syware sites. I changed back to automatic configuration for DNS and ran ipconfig /flushdns . But the displaydns command still returns the same results. My access issue to Google sites have been solved in the mean time. I have Avast Antivirus Home for protection. I run Spybot once in a while and Trend Antirootkit scanner beta is run once in a week.

    Any suggesions/resolutions?

    Should I clear ARP cache?
    Any idea if there are any manual DNS entries OS where we can delete the entries?
    Any idea about registry entries that can be used for resolving the issue?

You are posting a reply to: DNS

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our Community FAQs for details. All submitted content is subject to our Terms of Use.

All Answers

  • Author
    Replies
    • #3319763

      Clarifications

      by ramuvr ·

      In reply to DNS

      Clarifications

    • #2558637

      I have the same issue

      by louis.slabbert ·

      In reply to DNS

      Hi Ramuvr
      A laptop of mine has been compromised recently and I’m still troubleshooting exactly what happened (no I haven’t formatted it yet as I believe there’s some traces to be found)

      My case was with the VB.AutoRun family of Trojans. (The laptop was used by a few people in a house share without Deepfreeze or Steadystate installed…lesson learnt)

      The link below is a good explanation of some of the caractaristics:
      http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.jcwcn.com/html/virus/07_24_25_32.htm&sa=X&oi=translate&resnum=1&ct=result&prev=/search%3Fq%3Dshellexecute%253Dauto.exe%26hl%3Den%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-GB:official%26hs%3DPqR%26sa%3DG

      It also connects to a online update.txt file and downloads more programs to execute.

      I only saw my ipconfig /displaydns to be similar to your a few minutes ago.

      Have you had any weird behavious on your particular system recently?
      In Particular a Error message:
      “Cannot Copy auto.exe as it is in use”?

      Thought is might be related…
      Please update this thread if you find a resolution.

      • #2556990

        Hi

        by ramuvr ·

        In reply to I have the same issue

        HI Louis,

        I don’t get such messages.

        But what I suspect is that my internet activity and information might be compromised. I have stopped using Credit cards online due to this. I think since this is a DNS issue, they could track the web pages we hit and also basic information like email id’s we use, if not the passwords. I get a lot of spam mails in gmail and Yahoo.

        I use an Avast Antivirus and run SUPERAntiSpyware [I used tohave SpyBot]engines I dont know if this is enough and plans to use a Microsoft Defender.

        Thanks for the info on the Trojan, I wil watch it.

        Whats baffles me is the fact that flushdns is not abkle to purge the Resolver cache.

        Can you confirm me if the results of “ipconfig /displaydns” are indeed what are supposed to be flushed by “ipconfig /flushdns”?
        Now I seriously doubt that. I even tried to purge the ARP cache. But that did not help things here.
        Best regards

        Ramu

    • #2556956

      My advice

      by kjell_andorsen ·

      In reply to DNS

      It definitely seems your system has been compromised by malware. I would supplement your Syybot scans with a couple other anti-malware programs, such as adaware or avg anti-spyware (both free). If this doesn’t resolve it, you should download and run hijackthis and post the logs on a dedicated anti-malware forum.

      You might also want to look at your hosts file (usually found under C:\windows\system32\drivers\etc ) Use notepad to open the file and see if there are any other entries than one that says

      127.0.0.1 localhost

      If so you can probably delete them. Don’t delete any line that starts with # since these lines are harmless.

      Hope that helps

    • #2556911

      Re: DNS

      by compuwysepc ·

      In reply to DNS

      ipconfig/flushdns clears the locally cached DNS records, however what you you see displayed appears to be your hosts file, which looks to be corrupt. Clear the hosts file and then you shouldn’t get those results the next time you run ipconfig/displaydns. If you do, you have been hijacked and you need to eliminate the infections before you will see the proper results.

      • #2557287

        Thanks

        by ramuvr ·

        In reply to Re: DNS

        Thanks for that update.

        Quote:
        “clear the hosts file and then you shouldn’t get those results the next time ”

        How do I do this ?

        • #2557178

          easy

          by kjell_andorsen ·

          In reply to Thanks

          Open the hosts file (the path to locate it was in my previous reply). Then delete any line that doesn’t start with # except for the one that says

          127.0.0.1 localhost

Viewing 3 reply threads