Home » Questions » Computers [ Ask a new question ]

DNS issues after malware infection

DNS issues after malware infection

I have a laptop that has some sort of malware infection. I can't contact microsoft.com, symantec.com and so on. I've checked the HOSTS file, but there are no unusual entries. By what other means might a piece of malware orchestrate such an effect? I've not taken any measures yet to clean up the infection, but am interested in understanding this mechanism before I clean it up.

Asked by: Guest | Views: 18
Total answers/comments: 4
Guest [Entry]

"seems like conficker

here is more info and removal tools for conficker. http://en.wikipediadotorg/wiki/Conficker"
Guest [Entry]

"Generally it is usually just the hosts file. Sometimes they may try and change your actual network DNS server settings to a different (hacked) DNS server, so that may be worth a try.

Also, try going to command prompt and type

netsh int ip reset

This should reset the ip stack on your machine, but only use as a last resort."
Guest [Entry]

"This sounds like something I dealt with ""System Security 2009""... Take a look at Trojan.Poison.J.

Part of the problem is that I believe it adds a BHO, that will automatically bounce you to a ""This web page is hazardous message, any time you go to the Antivirus (or Microsoft's) web site. Darn effective, and annoying.

If you are quick, you can see Windows Update load, and then it loads a different page as the BHO bounces you.

Original source here: http://blog.plaitsolutions.com/2009/09/25/update-to-previous-post-on-emails-that-are-bogus.aspx?ref=rss

So, here's what you do if this vile piece of malware is inhabiting your PC (read this through carefully before starting the work):
Removing System Security 2009 manually******:

1. Boot into Safe Mode.

2. Browse to and remove the following files:

C:\Documents and Settings\All Users\Application Data\00308937*\pc00308937ins*
C:\Documents and Settings\All Users\Application Data\00308937*\00308937.exe*
C:\Documents and Settings\All Users\Application Data\00308937*\config.udb
C:\Documents and Settings\{your username directory}**\Desktop\System Security 2009.lnk
C:\Documents and Settings\{your username directory}**\Start Menu\Programs\System Security\System Security 2009 Support.lnk
C:\Documents and Settings\{your username directory}**\Start Menu\Programs\System Security\System Security 2009.lnk
* - The number in this command (00308937) may not be the actual number you see in the directory. If so, replace that number with the one in the directory.

** - replace ""{your username directory)"" with the name of the user's folder under Documents and Settings. For example, my username is ""Sid"", so the path to the System Security 2009.lnk file would be:

C:\Documents and Settings\Sid\Desktop\System Security 2009.lnk
3. Delete the following registry entries:

HKEY_LOCAL_MACHINE\Software\00308937*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run “00308937″*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009
* - The number in these registry entries (00308937) may not be the actual number you see in the directory. If so, replace that number with the one in the directory (the same one you used in the previous step).

****** - Manual removal of System Security 2009 is a dangerous task if you aren't familiar with the registry. If you remove the wrong keys, you could cause your computer to stop working. While it has worked in every case for me so far, the malware may reappear. I suggest you either use an automated tool or call a professional to remove it."
Guest [Entry]

"i had a similar issue where DNS stopped working AFTER removing a virus infection, the infected file that caused DNS to stop working was C:\windows\system32\drivers\zdengine.dll , and the file could not be removed normally, not even in Safe Mode could the file be removed, so i had to remove it from a Linux live USB, after which DNS stopped working. DNS started working again after running

netsh winsock reset

in cmd as administrator, and rebooting."