Unable to use internet due to suspected DNS malware
Solution 1
If you're absolutely certain the issue must be with malware and nothing else, despite every reputable malware detection tool saying otherwise, there's only two options remaining:
- Remove the hard drive, and attach it to another system as a secondary drive. Then, use the other system to scan for and remove the malware.
- If option 1 fails to detect and/or remove your problem, re-format the drive using known-good OS installation media. After this, do not restore any backed-up data to the system. All backups from the previous installation should be thrown away, as they are obviously infected with malware that nobody can detect.
Solution 2
Try uploading the midi file you are sure to have caused the problem to virustotal.com. It will show you what type of infection you have, then clean accordingly.
Solution 3
Check your HOSTS file:
Windows Windows 7 & Windows 8 Notepad must be run as Administrator.
1. Right click Notepad and select Run as administrator
2. When Notepad opens Click File -> Open
C:\Windows\System32\Drivers\etc\hosts
3. Click Open
DEFAULT hosts file is below, compare and modify. You could just replace, but backup existing first just in case or comment out the lines in the file with the pound character.
For Windows 7 & 8
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handle within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
Solution 4
Your issue Anto sounds similar to what one of my users had about a month or two ago. Though not precisely the same, it's similar enough for you to try and use the techniques we used for yourself.
In her case, Outlook would connect fine for a few minutes after opening and then give her a certificate error message that there was a problem with the "proxy server's security certificate". Opening the certificate in detail, it documented the certificate path as leading to a root certificate oddly called DO_NOT_TRUST_FiddlerRoot.
When she browsed the internet through Internet Explorer, she got the a webpage saying "There is a problem with this website's security certificate". She had to acknowledge the message to continue to the website. This was for any website she visited.
We tried a number of things that included removing unfamiliar programs as well as removing the above FIDDLER certificate. In the end we found that IE's proxy settings kept been changed to 127.0.0.1. Upon removing those proxy settings those symptons were gone. However, like in your case, those proxy settings returned upon reopening IE.
We worked out that the registry setting for the IE's proxy settings was HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings and then Proxy Server. As we removed the proxy settings from IE we could see that registry value updated. Similarly, when the unwanted proxy setting returned to IE then that registry value would get updated.
We then turned to Sysinternal's Process Monitor for help. This captures a trace of everything (file and registry access) that happens on a machine. We could use Process Monitor to check what was the process that was amending that registry key.
(Process Monitor is quite easy to use straight away but if you need to see more info on it the other articles under my name will describe it fuller)
We removed the proxy settings and then we ran Process Monitor for around the half minute it took for the malware to return the proxy settings. We looked at Process Monitor's trace and did a search on the above registry key and saw that it was being modified by a process called Browsersafeguard. We then removed Browsersafeguard and then problem was gone.
So, hope that helps Anto. Symptoms are similar enough for you to try and use the techniques we used for yourself. This should help you to try remove the malware without changing the DNS.
Good luck.
Solution 5
If Anti-malware/bloatware is what you are looking at, here are a few:
- Superanti spyware
- Malware-bytes
- Combo Fix
- ADW cleaner
- CCleaner Temp File Cleaner
Run Combo-Fix at the last.
Related videos on Youtube
03 : 37
03 : 17
11 : 19
05 : 11
07 : 03
Admin
Updated on September 18, 2022Comments
-
Admin over 1 year
I downloaded a midi file on my Windows 8.1 laptop last night. Since then, whenever I open chrome, I get a standard 'Web Page Not Available" error for ALL the sites I try to visit.
Firefox and Internet Explorer too wouldn't open ANY page. I am pretty sure that malwares are the cause as I've had similar infections before.
I ran scans using the following tools in both safe mode and normal mode(using latest signatures)
1) Malwarebytes Antimalware
2) Spybot
3) Microsoft Anti-Malware toolI even ran a McAfee scan for virus. Surprisingly all malware removal tools and McAfee failed to detect even a single object!
I was quite surprised because last time , I resolved the issue by using the malware removal tools (which detected objects and deleted them).However, after spending hours on google, I found out the issue can be resolved running the ipconfig /flushdns command in cmd. I tried it and the issue was resolved TEMPORARILY. But if I close and restart chrome or if I leave chrome idle for some time , the issue reappears again.
I have tried resetting winsock and ip using the following cmd commands with no respite -
netsh winsock reset
netsh winsock reset catalog
netsh int ipv4 reset reset.log
netsh int ipv6 reset reset.log
netsh int ip reset c:\resetlog.txtI even ran the Avira DNS Repair Tool . But it said there was no need for repairing as the DNS settings were not altered by DNS Changing malware.
I would appreciate a good solution ASAP as I'm not able to use the internet.
Note -
1) I connect to the modem using wifi. I tried connecting using LAN wire later but it made no difference.
2) There are NO connectivity issues while connecting via both modes.Thanks in advance!
EDIT
This is my trace route to google.com
-
Ƭᴇcʜιᴇ007 almost 10 yearsLet's pretend for a while that you DIDN'T get malware from that midi file (which is highly unlikely), and just troubleshoot as if it's not... So -- Is this your personal machine, or a work machine? Does it behave the same way while booted into Safe Mode with Networking? How about in Normal mode as a different user? -
SamAndrew81 about 5 yearsIf you ran a Malwarebytes scan and it says your machine does not have malware then chances are extremely high that's the case. That tracert to google.com is completely normal, by the way.
-
-
Admin almost 10 yearsI have cleaned all my temp files manually. Combo Fix is not compatible with Windows 8. I have already checked for spywares using spybot.
-
Admin almost 10 yearsDid a full system reset of the router as you told. No respite. I think I have already mentioned that other devices connected to the same network and router have NO problem. I don't think there is any problem with the router.
-
Daniel B almost 10 yearsWell, you’re in luck then. A vulnerable router with no update available would need to be replaced, after all. ;)
-
Admin almost 10 yearsI checked that option. There were NO restore points stored prior to the symptoms. I won't be able to do a system restore.
-
Admin almost 10 yearsSo you want me to replace my router?
-
Daniel B almost 10 yearsNo. It doesn't appear to be affected, after all.
-
Admin almost 10 yearsC:\WINDOWS\system32>telnet www.google.com 80 Connecting To www.google.com...Could not open connection to the host, on port 80: Connect failed
-
Admin almost 10 yearsThis is an IDENTICAL copy of the hosts file in my system except that mine starts with 'Copyright (c) 1993-2009 Microsoft Corp.'
-
Admin almost 10 yearsI deleted that midi file as soon as the symptoms started showing up.
-
I say Reinstate Monica almost 10 yearsOK. What about comparing the IPCONFIG output your system with the others on the network? -
I say Reinstate Monica almost 10 yearsAnd you should also try connecting directly to your Internet without going through your router. This will tell us whether the problem is with your computer or something on the inside of your network.
-
I say Reinstate Monica almost 10 years@AntoOswin, have you tried connecting your computer directly to your Internet connection, outside of your local network?
-
Iszi almost 10 years@AntoOswin If you can find it again, you can point VIrusTotal to the URL.
-
Ramhound almost 10 years@Twisty - Why did you post 3 different answers to this question?
-
Ramhound almost 10 years@AntoOswin - Combo Fix works with Windows 8 what in the world are you talking about?
-
Ramhound almost 10 years@AntoOswin - Have you verified your internet service providers DNS serves are actually working?
-
I say Reinstate Monica almost 10 yearsBecause solving the problem with System Restore is in no way similar to solving it by treating the system as infected with a rootkit which in turn is distinct from performing troubleshooting of the OPs networking environment. Should one of these answers prove correct it will be most helpful to future viewers to have an answer to consider that does not provide three incompatible solutions to the problem. Ultimately I'm trying to help @AntoOswin with what appears to be a complicated problem requiring a battery of tactics to solve.
-
I say Reinstate Monica almost 10 yearsI also suggested to @AntoOswin earlier that he check his proxy settings. Your experience confirms the possibility this suggestion remains relevant.
-
Admin almost 10 yearsMy network connection is such that I can connect my laptop to the internet via router only (because nothing else has a lan port)....
-
Admin almost 10 yearsI will go with this one if all else fail.... will be my last resort..
-
Ramhound almost 10 years@AntoOswin - You have verified both PCs are using the same DNS ip addresses? This can be verified by doing
ipconfig /all -
Admin almost 10 yearsNone of the answers for this question has solved my problem. However this answer might help someone else who has a DNS malware attack different from mine. Thus bounty awarded.
