Unable to use internet due to suspected DNS malware

Question

I downloaded a midi file on my Windows 8.1 laptop last night. Since then, whenever I open chrome, I get a standard 'Web Page Not Available" error for ALL the sites I try to visit.

Firefox and Internet Explorer too wouldn't open ANY page. I am pretty sure that malwares are the cause as I've had similar infections before.

I ran scans using the following tools in both safe mode and normal mode(using latest signatures)
1) Malwarebytes Antimalware
2) Spybot
3) Microsoft Anti-Malware tool

I even ran a McAfee scan for virus. Surprisingly all malware removal tools and McAfee failed to detect even a single object!
I was quite surprised because last time , I resolved the issue by using the malware removal tools (which detected objects and deleted them).

However, after spending hours on google, I found out the issue can be resolved running the ipconfig /flushdns command in cmd. I tried it and the issue was resolved TEMPORARILY. But if I close and restart chrome or if I leave chrome idle for some time , the issue reappears again.

I have tried resetting winsock and ip using the following cmd commands with no respite -
netsh winsock reset
netsh winsock reset catalog
netsh int ipv4 reset reset.log
netsh int ipv6 reset reset.log
netsh int ip reset c:\resetlog.txt

I even ran the Avira DNS Repair Tool . But it said there was no need for repairing as the DNS settings were not altered by DNS Changing malware.

I would appreciate a good solution ASAP as I'm not able to use the internet.

Note -
1) I connect to the modem using wifi. I tried connecting using LAN wire later but it made no difference.
2) There are NO connectivity issues while connecting via both modes.

Thanks in advance!

EDIT

This is my trace route to google.com

Answer 1

If Anti-malware/bloatware is what you are looking at, here are a few:

1. Superanti spyware
2. Malware-bytes
3. Combo Fix
4. ADW cleaner
5. CCleaner Temp File Cleaner

Run Combo-Fix at the last.

Answer 2

Try uploading the midi file you are sure to have caused the problem to virustotal.com. It will show you what type of infection you have, then clean accordingly.

Answer 3

Check your HOSTS file:

Windows Windows 7 & Windows 8 Notepad must be run as Administrator.

1. Right click Notepad and select Run as administrator

2. When Notepad opens Click File -> Open

    C:\Windows\System32\Drivers\etc\hosts

3. Click Open

DEFAULT hosts file is below, compare and modify. You could just replace, but backup existing first just in case or comment out the lines in the file with the pound character.

For Windows 7 & 8

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handle within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost

Answer 4

Your issue Anto sounds similar to what one of my users had about a month or two ago. Though not precisely the same, it's similar enough for you to try and use the techniques we used for yourself.

In her case, Outlook would connect fine for a few minutes after opening and then give her a certificate error message that there was a problem with the "proxy server's security certificate". Opening the certificate in detail, it documented the certificate path as leading to a root certificate oddly called DO_NOT_TRUST_FiddlerRoot.

When she browsed the internet through Internet Explorer, she got the a webpage saying "There is a problem with this website's security certificate". She had to acknowledge the message to continue to the website. This was for any website she visited.

We tried a number of things that included removing unfamiliar programs as well as removing the above FIDDLER certificate. In the end we found that IE's proxy settings kept been changed to 127.0.0.1. Upon removing those proxy settings those symptons were gone. However, like in your case, those proxy settings returned upon reopening IE.

We worked out that the registry setting for the IE's proxy settings was HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings and then Proxy Server. As we removed the proxy settings from IE we could see that registry value updated. Similarly, when the unwanted proxy setting returned to IE then that registry value would get updated.

We then turned to Sysinternal's Process Monitor for help. This captures a trace of everything (file and registry access) that happens on a machine. We could use Process Monitor to check what was the process that was amending that registry key.

(Process Monitor is quite easy to use straight away but if you need to see more info on it the other articles under my name will describe it fuller)

We removed the proxy settings and then we ran Process Monitor for around the half minute it took for the malware to return the proxy settings. We looked at Process Monitor's trace and did a search on the above registry key and saw that it was being modified by a process called Browsersafeguard. We then removed Browsersafeguard and then problem was gone.

So, hope that helps Anto. Symptoms are similar enough for you to try and use the techniques we used for yourself. This should help you to try remove the malware without changing the DNS.

Good luck.

Answer 5

If you're absolutely certain the issue must be with malware and nothing else, despite every reputable malware detection tool saying otherwise, there's only two options remaining:

1. Remove the hard drive, and attach it to another system as a secondary drive. Then, use the other system to scan for and remove the malware.
2. If option 1 fails to detect and/or remove your problem, re-format the drive using known-good OS installation media. After this, do not restore any backed-up data to the system. All backups from the previous installation should be thrown away, as they are obviously infected with malware that nobody can detect.

Answer 6

Check your proxy settings. In Internet Explorer>Tools menu>Internet Options>Connections tab>LAN Settings make sure Use a proxy server for your LAN isn't selected.

Failing that, you need to establish whether the problem here is with your web browser(s) or a networking issue (both which could be caused by malware). Try to establish a connection Google's website without using a browser. You can do this with telnet (how to enable Telnet client in Windows 8) by running this command from a Command Prompt:

telnet www.google.com 80

If you're immediately taken to a blank screen you successfully connected (press CTRL+] then type quit and press enter to exit). This means you need to focus on your web brower (add-ins, settings, etc.)

If it just sits there saying Connecting To www.google.com.... then eventually returns Could not open connection to the host, on port 80: Connect failed then your problem is a networking issue not a browser issue.

Next, compare your networking settings between your computer and a known-working machine, both connected to the same network in the same way (either both wireless or both wired). Then from a Command Prompt run

ipconfig /all

on both computers and compare the settings, paying special attention to Default Gateway, DHCP Server, DNS Servers (should be identical) and IPv4 address (first three numbers ["octets"] should probably match and last number differ). Any differences here could be clues to your problem.

You could also try connecting your machine directly to your Internet connection. Take the cable currently plugged into the WAN port of your router and plug it into your computer. If your problem goes away (or even changes in some material way) this tells you the problem is on your local network.

I'm not discounting your suspicion that malware is at the root of your problem. Because none of your scans have found anything, you must establish what the malware has broken in order to know where to look more specifically for the cause, whether that is malware or something else.

If these steps get you no closer to a solution and your other computers are working fine on the same network, then I'll put my vote in the hat for a OS reinstall.

Answer 7

Try going to "Network Connections" then right click on your wireless network connection and click properties. This will open a dialogue box with a list. On this list select "Internet Protocol Version 4 (TCP/IPV4)" and then click properties. Make sure that all the settings here are set to "automatic".

You also may want to check the advanced button in this window which opens another window that has a DNS tab.

Answer 8

Reset your router, completely. This means not just power cycling, but using the reset button as detailed in the manual.

It is very likely the DNS server settings on your router have been manipulated. This is possible by simply browsing to a malicious website when the router is vulnerable (bugs, backdoors, you name it). No traces (except in the browsing history perhaps) will remain on your computer, so no AV scanner will ever find anything.

This type of attack changes the DNS servers your router would query. Since all computers and devices in your network usually use the router’s DNS forwarding service, all of them are affected. The “bad guy’s” DNS server would then respond with the IP address of a man-in-the-middle attack server that grabs your passwords and the like.

Answer 9

Try using System Restore to restore your computer to a point in time prior to the unwanted symptoms showing up. This will remove most forms of malware and would also revert any other changes that could have broken your DNS functionality.

Answer 10

Your virus/malware could actually be a rootkit. If so, removal would best be be accomplished by erasing your hard drive and re-installing Windows. There are rootkit detection & removal tools, but unless you have a compelling reason to avoid an OS reinstallation, you'll have a much higher degree of confidence that you have a clean system if you erase everything and start over.

You should be able to save your documents and other important data to other media without transferring the rootkit, although it would be prudent to scan them for viruses on another machine that has Autoplay disabled (to help mitigate the likelihood of transferring any infection to the second machine before the scan).

Answer 11

I was in the same situation a few months ago. I have 2 PCs at home, both run on the same OS/version. One day one PC started showing difficulties connecting to my gmail - google would say "connection not trusted". After initial analysis, I noticed that all sites were now are under control of DO_NOT_TRUST_FIDDLER_ROOT certificate. When I compared the cert. with another PC, such did not exist. I went through numbers of recommendation but nothing helped out. Being reluctant to re-install OS, I did this: copied all web certs from "good" PC and replaced "bad" ones on the second PC. Only then everything lined-up!! IN FUTURE, I WOULD RECOMMEND TO MAKE BACKUP OF ALL WEB CERTIFICATES BEFORE THE PROBLEM ARISE.