DNS-changing malware FBI thingy - anybody???

[Ponders]

via Firefox/Chrome we are getting the warning on google - we have done security checks suggested but are still getting warning, which means router settings have been reset?

DH, supposedly our resident tech because he works in IT (but he only does systems analysis/development ) denies that this is a problem & thinks that resetting DNS things on each individual computer will solve it; but he doesn't use any browser other than AOL, which doesn't get the google flag

I've told him that AOL has been bamboozled:

"Your computer appears to be looking up IP addresses correctly!
Had your computer been infected with DNS changer malware you would have seen a red background. Please note, however, that if your ISP is redirecting DNS traffic for its customers you would have reached this site even though you are infected "

but he won't listen to me because he knows best aaaaaargh

Please can a techy person tell me what to tell him so that he will believe that the router needs to be reset to factory settings before July 9th?

AOL is pretty grim. But there's an easy way that you can test.

Click on the start menu. In the search box type CMD. Don't press enter. The command prompt should now appear in the list of programs above the search box.

Right-click on this and choose 'run as administrator'.

Check your IP settings by typing 'ipconfig /all'. This will give you your DNS so that you can check where it's being allocated from.

Then, for each of the websites you can't access, run an NSLOOKUP. NSlookup translates IPs to names and vice versa. So type 'nslookup www.google.com', for example, and it'll return the IPs of the six google servers.

If you're not getting an IP returned, then you've still got DNS issues.

OK, have done first bit, hamster:

under Windows IP configuration
Primary Dns suffix: blank
under Ethernet adapter local area connection
Connection-specific DNS suffix: blank
under Tunnel adapter Local Area Connector
Connection-specific DNS suffix: blank

does all this blankness indicate a problem or is it correct?

I can't get anything from the nslookup thing

typed nslookup www.google.com into that search box & it appears at the top

left click/double left click does nothing

right click opens box of options

tried

Open - nothing (well, a black box appears fleetingly)

Run as Administrator - gives me a black box:

Default Server: www.routerlogin.com
Address 192.168.0.1

Under the Ethernet Adapter Local Area Connection
I would expect to have seen entries for
IPv4, Default Gateway, DNS Servers
It would say things like 192.168.1.254

Are you seeing any entries like that Ponders?

Whilst you have the CMD box up, try typing:
ipconfig /renew

That should get the computer to request an ipaddress from the router and you should see it give you things like Default Gateway

nslookup is run from within the CMD box (it's a black box).

So you will have something like
C:\Windows\System32>
with a flashing cursor after the >

If you have lost the CMD box, then find it again by repeating the steps:

Click on the start menu. In the search box type CMD. Don't press enter. The command prompt should now appear in the list of programs above the search box.

Right-click on this [the CMD program icon] and choose 'run as administrator'.

You now have a black box, with something like
C:\Windows\System32>

This is the command prompt, at which point you can type system commands.
It will remain on screen until it is closed (by clicking the X usually) or by typing the word EXIT

I am getting v again, nick, can you tell?

yes, under ethernet it has all that stuff you list including a 192.168 number

& at the end is a c:\windows\system32>

when I put the nslookup for google.com there it lists initially

2a00:1450:4007:803::1010

& then 6 addresses, all starting with 173.194

is that right?

Yes, that's exactly what you're supposed to see.

Now run the nslookup for some of the websites that don't work, and post the name of the website and the IP it returns on here, and I'll compare it to the results I get.

aha! I see where we're going now - this is like playing detectives, hamster!

Ok, for facebook it shows:

Non-authoritative answer
Name: www.facebook.com
Addresses: 2a03:2880:2110:3f01:face:b00c::
66.220.152.32

Santander:

Non-authoritative answer
Name: e3625.b.akamaiedge.net
Address: 2.18.190.196
Aliases: www.santander.co.uk
sanatander.co.uk.edgekey.net

Guardian:

Non-authoritative answer
Name: guardian.co.uk
Address: 77.91.249.30
Aliases: www.guardian.co.uk

BBC:

Non-authoritative answer
Name: www.bbc.net.uk
Address: 212.58.244.69
Aliases: www.bbc.co.uk

& for mumsnet (which is opening, obv):

Non-authoritative answer
Name: arsenal.dsc.net
Address: 85.92.212.70
Aliases: www.mumsnet.com

Headers for all are

Server: www.routerlogin.com
Address: 192.168.0.1

incidentally, although google will open & perform a search, most of the links found won't open (the hippo one & PCWorld are the only ones that have done so far)

OK, now what I can do with that info is run a 'reverse' NSLOOKUP using the IPs you posted and see where it returns the data to.

Now bear in mind that the way the internet works for me is different to the way it works for you. That's because you're on AOL who use (as far as I can tell) a different routing system to literally everyone else in the galaaxy and who, in my professional opinion, suck donkey balls.

That aside, here are my results for the reverse lookup:

66.220.152.32 - www-slb-11-09-frc1.facebook.com

2.18.190.196 - non-existent domain

77.91.249.30 - www.guardian.co.uk

212.58.244.69 - bbc-vip114.telhc.bbc.co.uk

The reason that the Facebook and BBC ones look different to what you typed in is that they have hundreds (in facebook's case, thousands) of domains and servers to handle all the traffic to their site.

The most important one here is the Santander one. This is being bounced to, as you can see, a domain that doesn't exist.

A check on the IP at the DomainTools website shows that it's managed by Akamai technologies, a company who bounce stuff around the internet. They're a legit company, and Santander seem to use them for their DNS management because when I run an NSLOOKUP for the Santander site, I get the IP 23.14.222.196, which, when I reverse the lookup, takes me to akamaiedge.net.

However, it is possible that this is a scrap of the DNS hijacking which is left over.

If you can copy and paste that HijackThis log, it would help immensely because that is likely to give me the info I need.

Another thought occurs - that the browser itself is still being redirected. The HijackThis log would confirm that.

Have you managed to run Hijackthis? You'll need to 'Do a system scan and save a logfile', and then copy and paste the contents of the logfile (which appear in notepad) in to your post on MN for me to take a butchers.

Have reinstalled Hijack this. When I click the log button I get

For some reason your system denied access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this.
If that happens, you may need to edit the file yourself. To do this click Start, Run & type:

notepad c:\Windows\System32\drivers\etc\hosts

and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as 'hosts' (with quotes) and reboot.
For Vista: simply, exit HijackThis, right click on the HIjackTHis icon, choose 'Run as administrator'

There is an OK button at the bottom but I haven't clicked it yet, I thought I'd check with you first.

I am on Vista btw (is the combination of Vista & AOL the worst in the world?)

oh, behind that box is another one that says

O1 Hosts file redirection

& lists some HKCU HKLM things

Don't worry about the hosts file for now. The reason you're getting that is that Vista blocks access to the hosts file unless you're running Hijackthis in administrator mode (right click, run as admin).

So click OK on the box. Then you'll be able to create the log file.

Yes, Vista/AOL are the worst combination in the world. Apart from Apple/Anything. ;)

You can upgrade Vista to Win7 for about £85. It's a simple job and will give the machine a real speed boost. But, depending upon the age of the computer, it may not be worth doing.

this machine is oooold. I will be getting a new one before much longer. will give DH your donkey balls quote to think about changing from aol

I've got results of scan, clicked analyse this for "a logfile to show knowledgeable folks" but IT WON'T OPEN BECAUSE OF MY PC PROBLEM!!!!

Can you take a screenshot of it (print screen), save it to Paint and email it?

I'll try!

How do I do that? Press the PrtScn button & then what? (There is a child at home who could help me, but he's out atm)

oh it's ok, hamster - DH just rang, fortuituously (he roared at your donkey balls comment) so I know now.

it'll need 2 screenshots.

can you PM me your email address please?

IT'S FIXED!!!!

DH rang AOL for the 4th or 5th time this evening & finally got someone who knows about our problem

there was other rogue coding within the router - the chap talked him through it (they went into very advanced levels), & then got him to try logging on to bbc.co.uk, & was probably even happier than DH when it actually opened

thanks to both of you for help & moral support

Good to hear you now have a working system. I wonder what had happened to the router. With luck it will now keep working. Maybe worth changing the password to the admin interface on the router (if you do, write the password on a sticky note and stick it to the bottom of the router). Not sure if that would stop a virus from getting access to the router but it might help, as most routers are left on default settings.

router now has both new id & new password, nick

I don't know exactly what happened to it, & I'm not sure DH does either - AOL chap took him through to deeper magic from before the dawn of time - I think he just clicked on things as instructed