Forum Thread: How Do I Find/Remove a DNS Hijack

I have a friends windows 7 (64bit) computer that has a DNS hijack in it.

Steps I have done currently to remove the DNS and viruses:

  1. disconnected internet
  2. Ran: AdwCleaner, JRT, Emsisoft, Kaspersky, ReasonCore, Zemana, and lastly RogueKiller to remove the current DNS changes.
  3. Reset DNS and ran TweakingRepair to do a full fix
  4. Reset internet options in control panel (removing cookies)
  5. Removed all unknown services and startup items.
  6. Used autoruns to remove any unknown or malicious startup as well.

While disconnected from any network and internet, it will keep the dns malware removed whenever I run roguekiller. However as soon as I reconnect it to network it instantly gets the malware DNS changes again.

I am wondering what else can I run to possibly remove a DNS hijack? Because I am thinking there must be some exploit or hidden script running that recreates the DNS changes every time it connects to network.

The short story of this is, she got called from someone claiming to be from Rwglobal Tech Repair. SCAM website: http://www.rwglobal.us/

Anyone know about what they do in particular?

Thanks

7 Responses

Try scanning with MalwareBytes-Anti-Malware and MalwareBytes-Anti-Rootkit maybe?

Hmmm... interesting. I would assume that this would have to do something with the router right? Have you tried running aircrack-ng or kismet or even ettercap? If it isn't the router then there's probably a program that's on the computer that is running, could explain why none of the process worked since it's probably in the startup part of the registry. If it's windows you could probably find the program via the toolbar control panel which can be accessed via right clicking the toolbar.This would show every single program running. I hope that helps. :)

I currently have the desktop at my own home, not hers. The desktop does not have any wifi connection, so I was doing an adhoc share from my linux machine to share my laptops wifi. But every time it regains those DHCPNameSever Malware that roguekiller detects. So probably not the router. Although I will reset her router when I take it back.

I am probably going to try running DNS jumper: http://www.sordum.org/7952/dns-jumper-v2-0/ to reset the dns again.

Also run: http://www.nirsoft.net/utils/executed_programs_list.html maybe it would show a file or script running that changes the DNS

Not sure what will help, but I will be trying those later. I have never done the right click on toolbar to see what is running. I have gone into task manager and did not see anything malicious.

Edit well running those didnt really help much although I did find the mcafee setup exe the hackers sent her. so I might need to check it with a PE scanner to see if there is malware in there. maybe then I can find the script or whatever it added.

Usually the malware is infected in several areas... my experience with malware is that there were 500+ trojans when I ran malwarebytes on the computer that was infected. Usually you could probably find the program in the start up area of the registry... I should mention this won't be easy since probably the malware is encrypted in one shape or form, but my only suggestion left is run malwarebytes. Hope that helps. :)

And if all else fails,please consult the experts of malware removal at BleepingComputer.I am not affiliated with that website or forum,I am merely suggesting it as I strongly believe they can solve your malware problems.

I got it figured out, for some reason roguekiller was seeing my adhoc network share from my linux laptop to the windows desktop, as a malware dns. Have not had that happen before, but its all clean and no issues.

Share Your Thoughts

  • Hot
  • Active