Hi.
Yesterday I was hit by a virus/trojan. I removed using malwarbytes/spybot/AVG but some of my settings seem to have change and I can not get email or browser using the hard wire to the router. I can get skype this way though:confused:!

I can get email etc using a wireless connection but it is laggy when gaming etc. I have looked at the settings on the wired connection and it seems ok. I can get into the router settings with the wired connection but not use for email etc.

Any ideas please?

Thanks.

Hi.
Yesterday I was hit by a virus/trojan. I removed using malwarbytes/spybot/AVG but some of my settings seem to have change and I can not get email or browser using the hard wire to the router. I can get skype this way though:confused:!

I can get email etc using a wireless connection but it is laggy when gaming etc. I have looked at the settings on the wired connection and it seems ok. I can get into the router settings with the wired connection but not use for email etc.

Any ideas please?

Thanks.

Use "System Restore" to restore your computer system to a time BEFORE you got infected.

You can access "System Restore" in a couple of ways:

Method 1)

Start Menu>Control Panel>(Category View)Performance and Maintenance>System Restore (left hand corner)

Method 2)

Start Menu> Programs/All Programs>Acessories>System Tools>System Restore.

Once at the System Restore Screen you will be presented with 3 options:

"Create a restore Point"

"Restore my computer to an earlier time"

"Undo my last restoration"

Select "Restore my computer to an earlier time"

You will then be presented with a calender with a number of bolded dates which are the dates you can select to restore your computer back to.

Select the desired date, select next and let your computer do it's work.
All things being equal your browser and e-mail should work as before.

Many thanks Kingmaker2 but...my PC will not return to a restore point. I have tried several going back weeks but each time I try it fails.

I have also tried deleting the LAN internet connection to re-setup but this option is not accessible.

I have also tried setting up a new LAN connection using the wizard but it just tells me my connection should be working.

I also have noticed that sometimes the Internet Gateway icon appears and sometimes not?

Have I been hacked?

Any help gratefully received.:mad:

*edit* Just run UNHACKME - fixed a couple of problems but the main issue is still the same - can use skype but cant use email of browse the internet on wired connection. Getting very frustrated now.

Sorted!!!!!!:cool::cool:

Turned out it had changed my settings in Internet Protocol TCP/IP!!!!!!


Phew! :)

It sounds like the trojan configured your Name Server DNS settings to point to a server other than that of your ISP. My guess is that your DNS queries (if you had Whois'ed the IP address) will have been going through a server in the Ukraine.

Also get a hosts file checker (or do it yourself if you know what you are looking for) - very common for viruses that alter your TCP/IP setting to also add entries to hosts file.

http://www.f-secure.com/v-descs/trojan_dnschanger.shtml

It's done with the intention of phishing passwords or financial information. When a DNS request for www.NameOfBank.com goes through the rogue server, it returns an IP address for a fake (phishing) site instead of the requested real one.
It might also return IP addresses for simple ad sites when requesting non-financial related websites.

As auto98uk pointed out, the Hosts file is used similarly.

(Also available for OSX (http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml))

OK - Ive got a host checker (hostfilechecker.zip)but what do I do with it? I ran it, opened hosts file, and it just produced a list of 13162 hosts. Any suggestions? Should I delete all?

Thanks.

OK - Ive got a host checker (hostfilechecker.zip)but what do I do with it? I ran it, opened hosts file, and it just produced a list of 13162 hosts. Any suggestions? Should I delete all?

Thanks.

Alky if your connection has been infected then that suggests that your ISP nameserver has a vunerabilty that you need to look at, otherwise you are liable to suffers a reoccurance of the problem

Here is a good way to test whether your ISP is vunerable or not (Just click the button "Test My DNS" and take note of the results)

https://www.dns-oarc.net/oarc/services/dnsentropy

Do you use spybot? Entries with 127.0.0.1 before them (as below) are legit entries added by spybot.

127.0.0.1 localhost
127.0.0.1 fr.a2dfp.net
127.0.0.1 m.fr.a2dfp.net
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 adv.abv.bg
127.0.0.1 bimg.abv.bg
127.0.0.1 www2.a-counter.kiev.ua

You would be looking for entries like the ones below, where the IP address is other than 127.0.0.1

With the hosts file entries below, any requests for halifax.com for example would probably return a phishing site from a server hosted in the Russian Federation.

84.252.148.80 www.bankone.com
84.252.148.80 bankone.com
84.252.148.80 halifax.com
84.252.148.80 www.halifax.com
84.252.148.80 halifax.co.uk
84.252.148.80 www.halifax.co.uk
84.252.148.80 www.bankofamerica.com
84.252.148.80 bankofamerica.com
84.252.148.80 www.paypal.com
84.252.148.80 paypal.com
84.252.148.80 www.lloydstsb.com
84.252.148.80 lloydstsb.com
84.252.148.80 www.lloydstsb.co.uk
84.252.148.80 lloydstsb.co.uk

Alky if your connection has been infected then that suggests that your ISP server has a vunerabilty that you need to look at,

I don't think that is the case here at all. The trojan Alky contracted alters the nameserver entries in the registry of the host pc to point to a server other than that of the ISP. The fact that they had to manually change the tcp/ip settings through Network Connections backs this up.


An example of this is in the O17 entries in this Hijackthis log (http://forums.techguy.org/7237183-post1.html) show that the nameserver entries had been altered to point to a server in the Ukraine.

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.118,93.188.161.41
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.118,93.188.161.41
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.118,93.188.161.41


http://whois.domaintools.com/93.188.162.118

I don't think that is the case here at all. The trojan Alky contracted alters the nameserver entries in the registry of the host pc to point to a server other than that of the ISP. The fact that they had to manually change the tcp/ip settings through Network Connections backs this up.


Hey Waddler we are all trying to help here!:thumbsup:

I thought we were talking about a cache poisoning attack.

Hey Waddler we are all trying to help here!:thumbsup:

I thought we were talking about a cache poisoning attack.


Sorry, I should use smilies more! If my post sounded harsh or critical it wasn't meant to be. ;)

OK - Ive got a host checker (hostfilechecker.zip)but what do I do with it? I ran it, opened hosts file, and it just produced a list of 13162 hosts. Any suggestions? Should I delete all?

Thanks.

Well, could you upload the log somewhere? It's a bit long to post on here. You can open it in notepad btw, if that's easier.

Or the other alternative is to follow this: http://malektips.com/spyware_adware_0017.html