So last night I noticed that I couldn't access amazon.com from my desktop. No ping either. I opened my laptop and it got through with no problem. This is not the first time I've had some strange issues on my desktop (windows xp sp2 on a dell 400sc). A few months ago I could not download picasa from google.com for the life of me -had to do it form the laptop. Anyway, I ran adaware, spybot, and a full mcafee scan and no help. checked the hosts file - and I didn't even have one -only copyofhosts. I assume this is the result of a malaware attack I had around a year ago that was never fully cleaned. Any suggestions? if not, does this mean time for a clean install?
Registry or dns hijack? Cannot get to amazon.com
- Thread starter DonCrescas
- Start date
You can try HijackThis and then run the results through a HT analyzer. This program is not noob friendly so if you go deleting everything that the program spits out you'll probably end up worse than you are now. You can always post your results to forums like this, where anonymous posters with unkown technical experience are happy to give advice.
I would definitely do a fresh install if it were me. With the threat of rootkits --rendering virusus/keyloggers/malware undetectable -- I would do a fresh install. I keep a ghosted image of base XP install and my core apps and re-install every 5 or 6 months, but then again I'm a bit paranoid.
So you can't get to amazon.com? Can you get everywhere else without a problem? If so then you probrably have some funky DNS servers specified in your tcp/ip settings. If you have auto assigned DNS servers for your laptop and desktop then make sure you are getting the same ones. Check by going to a command prompt and type in ipconfig /all. Try setting your DNS servers in your desktop to the exact ones you have on your laptop. I could be wrong, maybe you have the same DNS servers in both but check it out.
RebateMonger
Elite Member
- Dec 24, 2005
- 11,586
- 0
- 0
As btcomm1 notes, one of the things that Spyware programs will sometimes do is change your DNS Server to a "funky" one. Worse than that, those "funky" DNS Servers are typically in Russia, and they can send your Internet traffic ANYWHERE that they choose.
For instance, you go to "BankofAmerica.com", and the DNS Server sends you to a fake Bank of America web site. You type in your BoA user name and password, and, SHAZAAM, somebody in Russia now knows your bank password.
Stuff like this is why I always recommend that people wipe their OS and re-install it when confronted with complex spyware or trojan infections. There are too many rootkits and other VERY HARD TO DETECT and hard to remove attacks out there. The "good ones" won't be obvious, since their job is to remain well hidden.
For instance, you go to "BankofAmerica.com", and the DNS Server sends you to a fake Bank of America web site. You type in your BoA user name and password, and, SHAZAAM, somebody in Russia now knows your bank password.
Stuff like this is why I always recommend that people wipe their OS and re-install it when confronted with complex spyware or trojan infections. There are too many rootkits and other VERY HARD TO DETECT and hard to remove attacks out there. The "good ones" won't be obvious, since their job is to remain well hidden.
RebateMonger
Elite Member
- Dec 24, 2005
- 11,586
- 0
- 0
A quick check would be to type the following command at the MS DOS Command Prompt on a "working" and "non-working" PC:
"ping amazon.com"
You'll probably get back an IP similar to:
72.21.xxx.xxx
If both PCs give the same, or similar, IP addresses back, then the problem lies elsewhere than DNS.
Do an nslookup www.amazon.com (from a command prompt) and see what it says. It should give something back like this;
Name: www.amazon.com
Address: 72.21.203.1
Then put that address in your IE address bar and click go....did it come up?
If spyware is the offender check your hosts file located here (open with notepad); C:\WINDOWS\system32\drivers\etc
and see if there are any unusual entries.....it's an old trick to mess with someone is to go in there and specify an entry that will send someone to a different page than they are looking for. I believe (correct me If I am wrong) that name resolution will start in the hosts file before going to your specified DNS server.
Name: www.amazon.com
Address: 72.21.203.1
Then put that address in your IE address bar and click go....did it come up?
If spyware is the offender check your hosts file located here (open with notepad); C:\WINDOWS\system32\drivers\etc
and see if there are any unusual entries.....it's an old trick to mess with someone is to go in there and specify an entry that will send someone to a different page than they are looking for. I believe (correct me If I am wrong) that name resolution will start in the hosts file before going to your specified DNS server.
Thanks to all the helpful replies. I would have gotten back sooner but had a *load at work to do before the holiday weekend. Anyway, btcomm1 nailed it. something reconfigured tcpip to use some wierd dns server. Since I could not figure out how it happened, and nothing came up with repeated virus/malware scans I chose the safe route and backed up my files and did a clean install.
Does anyone think there could be a correlation with having installed utorrent two weeks a go to find some episodes of battlestar galactica I missed? some of the episodes wre multipart rars that each had one bad segment... was i hijacked? aside from that I can't think of anything else recent.
Also, I backed up my data files to both an external and secondary internal hd, and restored it using basic copy - no imaging or compression. Could some malware be lurking on the secondary or external drive? I would hate to have to reformat them as it would entail burning a ton of dvds of music and raw pictures.
RebateMonger
Elite Member
- Dec 24, 2005
- 11,586
- 0
- 0
As I mentioned earlier, if your TCP/IP settings point to a DNS Server that isn't known to you, it means that ANY web site you visit is, potentially, a fake one. Even a "Secure" site, unless you bother verifying the SSL Certificate and know who SHOULD be listed as the Certificate owner.
What I'm suggesting is that you consider any UserNames/Passwords/Account No./SSN/Credit Card No./etc. that you entered on any web sites as potentially "stolen".
One quick check of a password-protected site is to enter an incorrect UserName/Password. If the web site accepts it.....you have a problem. If the site is fake, I always couple that discovery with entering some data making reference to the site owner's questionable family heritage...
RebateMonger
Elite Member
- Dec 24, 2005
- 11,586
- 0
- 0
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Here's a site showing what some of the different variants do: http://www.jahewi.nl/lists/fakecodecs/fakecodecs.html
The DNSChanger variants are reportedly rootkit-protected, too. The Zlob variants, as you can see, are ultimately trying to get people to buy worthless scumware like MalwareWipe, VirusBurst, etc, and serve pop-ups too.
The kicker is, these come out at the rate of, like, 15-20 new variants per day, with the old ones apparently retired at the same rate. Go to Kaspersky viruswatch and filter for "Zlob" and for "DNSChanger". Daily antivirus signature updates are basically useless here. Even Kaspersky's hourly updates don't result in solid detection rates because of the necessary lag in the discovery, creation of a signature, and deployment of the signature, 15-20 times a day.
One more reason why people need to use common sense, and/or lock down the system.
If you did a clean install on your system then you should not have to worry about files automatically loading from the D: drive. If you ran an up to date and good anti malware scanner on the D: drive and it shows up as there is nothing bad on the drive you should be safe, one thing you could have done instead of doing a clean install was just change your DNS servers back to the correct ones and if they didn't change back to the funky ones you would have probrably been ok but that is weird that they changed, does anyone else use your computer that might have done that?
Also you probrably didn't but did you write down what those DNS servers were? Maybe they could be traced back to what specific malware you might have had.
Also you probrably didn't but did you write down what those DNS servers were? Maybe they could be traced back to what specific malware you might have had.
I can't recall clicking on one of theose fake warnings, I'm actually not a noob by any stretch of the imagination. My wife on the other hand...
As far as the potential for ID theft, I monitor all my accounts pretty regularly, but I will certainly be extra vigilant and perhaps order a triple credit rating score in the next month.
Thanks again for the help. BTW, as soon as I reconfigured the dns server to the default I regrettede not taking down the ip address. In the past I actually once contacted a czech hosting service to let them know they were hosting a phony search hits redirect site.
As far as the potential for ID theft, I monitor all my accounts pretty regularly, but I will certainly be extra vigilant and perhaps order a triple credit rating score in the next month.
Thanks again for the help. BTW, as soon as I reconfigured the dns server to the default I regrettede not taking down the ip address. In the past I actually once contacted a czech hosting service to let them know they were hosting a phony search hits redirect site.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 24K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 20K
-
-
-
Facebook
Twitter