Unable to use internet due to suspected DNS malware

-1

I downloaded a midi file on my Windows 8.1 laptop last night. Since then, whenever I open chrome, I get a standard 'Web Page Not Available" error for ALL the sites I try to visit.

Firefox and Internet Explorer too wouldn't open ANY page. I am pretty sure that malwares are the cause as I've had similar infections before.

I ran scans using the following tools in both safe mode and normal mode(using latest signatures)
1) Malwarebytes Antimalware
2) Spybot
3) Microsoft Anti-Malware tool

I even ran a McAfee scan for virus. Surprisingly all malware removal tools and McAfee failed to detect even a single object!
I was quite surprised because last time , I resolved the issue by using the malware removal tools (which detected objects and deleted them).

However, after spending hours on google, I found out the issue can be resolved running the ipconfig /flushdns command in cmd. I tried it and the issue was resolved TEMPORARILY. But if I close and restart chrome or if I leave chrome idle for some time , the issue reappears again.

I have tried resetting winsock and ip using the following cmd commands with no respite -
netsh winsock reset
netsh winsock reset catalog
netsh int ipv4 reset reset.log
netsh int ipv6 reset reset.log
netsh int ip reset c:\resetlog.txt

I even ran the Avira DNS Repair Tool . But it said there was no need for repairing as the DNS settings were not altered by DNS Changing malware.

I would appreciate a good solution ASAP as I'm not able to use the internet.

Note -
1) I connect to the modem using wifi. I tried connecting using LAN wire later but it made no difference.
2) There are NO connectivity issues while connecting via both modes.

Thanks in advance!

EDIT

This is my trace route to google.com

trace route

user241704

Posted 2014-07-22T14:51:38.347

Reputation:

1Let's pretend for a while that you DIDN'T get malware from that midi file (which is highly unlikely), and just troubleshoot as if it's not... So -- Is this your personal machine, or a work machine? Does it behave the same way while booted into Safe Mode with Networking? How about in Normal mode as a different user? – Ƭᴇcʜιᴇ007 – 2014-08-05T19:39:52.173

If you ran a Malwarebytes scan and it says your machine does not have malware then chances are extremely high that's the case. That tracert to google.com is completely normal, by the way. – SamAndrew81 – 2019-04-03T18:05:15.920

Answers

3

If Anti-malware/bloatware is what you are looking at, here are a few:

  1. Superanti spyware
  2. Malware-bytes
  3. Combo Fix
  4. ADW cleaner
  5. CCleaner Temp File Cleaner

Run Combo-Fix at the last.

pulsarjune

Posted 2014-07-22T14:51:38.347

Reputation: 1 242

I have cleaned all my temp files manually. Combo Fix is not compatible with Windows 8. I have already checked for spywares using spybot. – None – 2014-07-25T14:12:01.107

1@AntoOswin - Combo Fix works with Windows 8 what in the world are you talking about? – Ramhound – 2014-07-31T00:41:35.723

3

Try uploading the midi file you are sure to have caused the problem to virustotal.com. It will show you what type of infection you have, then clean accordingly.

AEonAX

Posted 2014-07-22T14:51:38.347

Reputation: 441

I deleted that midi file as soon as the symptoms started showing up. – None – 2014-07-27T14:38:56.437

1@AntoOswin If you can find it again, you can point VIrusTotal to the URL. – Iszi – 2014-07-30T16:05:10.380

3

Check your HOSTS file:

Windows Windows 7 & Windows 8 Notepad must be run as Administrator.

1. Right click Notepad and select Run as administrator

2. When Notepad opens Click File -> Open

    C:\Windows\System32\Drivers\etc\hosts

3. Click Open

DEFAULT hosts file is below, compare and modify. You could just replace, but backup existing first just in case or comment out the lines in the file with the pound character.

For Windows 7 & 8

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handle within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost

Logman

Posted 2014-07-22T14:51:38.347

Reputation: 3 452

This is an IDENTICAL copy of the hosts file in my system except that mine starts with 'Copyright (c) 1993-2009 Microsoft Corp.' – None – 2014-07-27T14:38:03.603

3

Your issue Anto sounds similar to what one of my users had about a month or two ago. Though not precisely the same, it's similar enough for you to try and use the techniques we used for yourself.

In her case, Outlook would connect fine for a few minutes after opening and then give her a certificate error message that there was a problem with the "proxy server's security certificate". Opening the certificate in detail, it documented the certificate path as leading to a root certificate oddly called DO_NOT_TRUST_FiddlerRoot.

When she browsed the internet through Internet Explorer, she got the a webpage saying "There is a problem with this website's security certificate". She had to acknowledge the message to continue to the website. This was for any website she visited.

We tried a number of things that included removing unfamiliar programs as well as removing the above FIDDLER certificate. In the end we found that IE's proxy settings kept been changed to 127.0.0.1. Upon removing those proxy settings those symptons were gone. However, like in your case, those proxy settings returned upon reopening IE.

We worked out that the registry setting for the IE's proxy settings was HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings and then Proxy Server. As we removed the proxy settings from IE we could see that registry value updated. Similarly, when the unwanted proxy setting returned to IE then that registry value would get updated.

We then turned to Sysinternal's Process Monitor for help. This captures a trace of everything (file and registry access) that happens on a machine. We could use Process Monitor to check what was the process that was amending that registry key.

(Process Monitor is quite easy to use straight away but if you need to see more info on it the other articles under my name will describe it fuller)

We removed the proxy settings and then we ran Process Monitor for around the half minute it took for the malware to return the proxy settings. We looked at Process Monitor's trace and did a search on the above registry key and saw that it was being modified by a process called Browsersafeguard. We then removed Browsersafeguard and then problem was gone.

So, hope that helps Anto. Symptoms are similar enough for you to try and use the techniques we used for yourself. This should help you to try remove the malware without changing the DNS.

Good luck.

user319647

Posted 2014-07-22T14:51:38.347

Reputation: 332

I also suggested to @AntoOswin earlier that he check his proxy settings. Your experience confirms the possibility this suggestion remains relevant. – I say Reinstate Monica – 2014-07-31T03:03:52.887

None of the answers for this question has solved my problem. However this answer might help someone else who has a DNS malware attack different from mine. Thus bounty awarded. – None – 2014-08-01T03:05:23.113

3

If you're absolutely certain the issue must be with malware and nothing else, despite every reputable malware detection tool saying otherwise, there's only two options remaining:

  1. Remove the hard drive, and attach it to another system as a secondary drive. Then, use the other system to scan for and remove the malware.
  2. If option 1 fails to detect and/or remove your problem, re-format the drive using known-good OS installation media. After this, do not restore any backed-up data to the system. All backups from the previous installation should be thrown away, as they are obviously infected with malware that nobody can detect.

Iszi

Posted 2014-07-22T14:51:38.347

Reputation: 11 686

I will go with this one if all else fail.... will be my last resort.. – None – 2014-07-31T05:54:14.257

2

Check your proxy settings. In Internet Explorer>Tools menu>Internet Options>Connections tab>LAN Settings make sure Use a proxy server for your LAN isn't selected.

Failing that, you need to establish whether the problem here is with your web browser(s) or a networking issue (both which could be caused by malware). Try to establish a connection Google's website without using a browser. You can do this with telnet (how to enable Telnet client in Windows 8) by running this command from a Command Prompt:

telnet www.google.com 80

If you're immediately taken to a blank screen you successfully connected (press CTRL+] then type quit and press enter to exit). This means you need to focus on your web brower (add-ins, settings, etc.)

If it just sits there saying Connecting To www.google.com.... then eventually returns Could not open connection to the host, on port 80: Connect failed then your problem is a networking issue not a browser issue.

Next, compare your networking settings between your computer and a known-working machine, both connected to the same network in the same way (either both wireless or both wired). Then from a Command Prompt run

ipconfig /all

on both computers and compare the settings, paying special attention to Default Gateway, DHCP Server, DNS Servers (should be identical) and IPv4 address (first three numbers ["octets"] should probably match and last number differ). Any differences here could be clues to your problem.

You could also try connecting your machine directly to your Internet connection. Take the cable currently plugged into the WAN port of your router and plug it into your computer. If your problem goes away (or even changes in some material way) this tells you the problem is on your local network.

I'm not discounting your suspicion that malware is at the root of your problem. Because none of your scans have found anything, you must establish what the malware has broken in order to know where to look more specifically for the cause, whether that is malware or something else.

If these steps get you no closer to a solution and your other computers are working fine on the same network, then I'll put my vote in the hat for a OS reinstall.

I say Reinstate Monica

Posted 2014-07-22T14:51:38.347

Reputation: 21 477

C:\WINDOWS\system32>telnet www.google.com 80 Connecting To www.google.com...Could not open connection to the host, on port 80: Connect failed – None – 2014-07-27T09:57:31.600

OK. What about comparing the IPCONFIG output your system with the others on the network? – I say Reinstate Monica – 2014-07-27T22:44:34.683

1And you should also try connecting directly to your Internet without going through your router. This will tell us whether the problem is with your computer or something on the inside of your network. – I say Reinstate Monica – 2014-07-27T22:46:52.223

1@AntoOswin, have you tried connecting your computer directly to your Internet connection, outside of your local network? – I say Reinstate Monica – 2014-07-30T12:27:03.770

My network connection is such that I can connect my laptop to the internet via router only (because nothing else has a lan port).... – None – 2014-07-31T05:46:48.477

1

Try going to "Network Connections" then right click on your wireless network connection and click properties. This will open a dialogue box with a list. On this list select "Internet Protocol Version 4 (TCP/IPV4)" and then click properties. Make sure that all the settings here are set to "automatic".

You also may want to check the advanced button in this window which opens another window that has a DNS tab.

Blaine

Posted 2014-07-22T14:51:38.347

Reputation: 1 477

1My original DNS settings (before the issue) were set to automatic. Now it only works when I set it to manual and set the DNS to google's 8.8.8.8 . I checked the advanced window. Checked out all the options. No respite. – None – 2014-07-25T14:24:05.257

1@AntoOswin - Have you verified your internet service providers DNS serves are actually working? – Ramhound – 2014-07-31T00:42:15.740

@Ramhound Yes my ISP's DNS is working fine on my Windows 7 PC and my Windows Phone. – None – 2014-07-31T05:51:24.240

1@AntoOswin - You have verified both PCs are using the same DNS ip addresses? This can be verified by doing ipconfig /all – Ramhound – 2014-07-31T11:12:32.293

1

Reset your router, completely. This means not just power cycling, but using the reset button as detailed in the manual.

It is very likely the DNS server settings on your router have been manipulated. This is possible by simply browsing to a malicious website when the router is vulnerable (bugs, backdoors, you name it). No traces (except in the browsing history perhaps) will remain on your computer, so no AV scanner will ever find anything.

This type of attack changes the DNS servers your router would query. Since all computers and devices in your network usually use the router’s DNS forwarding service, all of them are affected. The “bad guy’s” DNS server would then respond with the IP address of a man-in-the-middle attack server that grabs your passwords and the like.

Daniel B

Posted 2014-07-22T14:51:38.347

Reputation: 40 502

Did a full system reset of the router as you told. No respite. I think I have already mentioned that other devices connected to the same network and router have NO problem. I don't think there is any problem with the router. – None – 2014-07-25T14:21:04.247

Well, you’re in luck then. A vulnerable router with no update available would need to be replaced, after all. ;) – Daniel B – 2014-07-25T14:22:04.890

So you want me to replace my router? – None – 2014-07-26T07:30:32.523

No. It doesn't appear to be affected, after all. – Daniel B – 2014-07-26T08:22:52.660

0

Try using System Restore to restore your computer to a point in time prior to the unwanted symptoms showing up. This will remove most forms of malware and would also revert any other changes that could have broken your DNS functionality.

I say Reinstate Monica

Posted 2014-07-22T14:51:38.347

Reputation: 21 477

I checked that option. There were NO restore points stored prior to the symptoms. I won't be able to do a system restore. – None – 2014-07-26T07:30:06.370

@Twisty - Why did you post 3 different answers to this question? – Ramhound – 2014-07-31T00:38:59.790

Because solving the problem with System Restore is in no way similar to solving it by treating the system as infected with a rootkit which in turn is distinct from performing troubleshooting of the OPs networking environment. Should one of these answers prove correct it will be most helpful to future viewers to have an answer to consider that does not provide three incompatible solutions to the problem. Ultimately I'm trying to help @AntoOswin with what appears to be a complicated problem requiring a battery of tactics to solve. – I say Reinstate Monica – 2014-07-31T03:00:46.090

0

Your virus/malware could actually be a rootkit. If so, removal would best be be accomplished by erasing your hard drive and re-installing Windows. There are rootkit detection & removal tools, but unless you have a compelling reason to avoid an OS reinstallation, you'll have a much higher degree of confidence that you have a clean system if you erase everything and start over.

You should be able to save your documents and other important data to other media without transferring the rootkit, although it would be prudent to scan them for viruses on another machine that has Autoplay disabled (to help mitigate the likelihood of transferring any infection to the second machine before the scan).

I say Reinstate Monica

Posted 2014-07-22T14:51:38.347

Reputation: 21 477

-1

I was in the same situation a few months ago. I have 2 PCs at home, both run on the same OS/version. One day one PC started showing difficulties connecting to my gmail - google would say "connection not trusted". After initial analysis, I noticed that all sites were now are under control of DO_NOT_TRUST_FIDDLER_ROOT certificate. When I compared the cert. with another PC, such did not exist. I went through numbers of recommendation but nothing helped out. Being reluctant to re-install OS, I did this: copied all web certs from "good" PC and replaced "bad" ones on the second PC. Only then everything lined-up!! IN FUTURE, I WOULD RECOMMEND TO MAKE BACKUP OF ALL WEB CERTIFICATES BEFORE THE PROBLEM ARISE.

teamguest7

Posted 2014-07-22T14:51:38.347

Reputation: 1

Asked: 2014-07-22T14:51:38.347

Viewed: 14 075 times

Active: 2015-06-02T17:28:54.833