Rogue DNS Settings

L

Lothy

New member
Hey guys,

I r in need of some assistance...

tldr: Got spyware, removed it, but somehow my dns settings on my router changed to a rouge DNS server.


A while ago I got a scale with cryptowall virus and was doin a lot of research. While researching a pop up on a website said I needed a java update, and without thinking I clicked the damn thing... Now the install started and that's when I noticed that this doesn't look like the usual java update and didn't proceed. Now I reckon that was enough to get some malware onto my machine, but I didn't know at the time.

A couple days later I noticed that every time I visited a site or clicked on a page a new page would pop up. So I downloaded some malware removal apps proceeded to remove it all and everything went back to normal. Again about a week later the issue returned, but when I did my scans I couldn't find anything. I even went to the extent of downloading a offline virus scan onto disk, booted into the disk and ran another scan only to find nothing. It was only when I happened to check a site on my ipad that the problem showed up there and it got me thinking about my dns. I logged onto my router and under DNS I found 2 weird addresses. I changed them to a local SAIX addresses and the problem went away.

So my question is:

1. How did my DNS on my router get changed and how do I prevent it in future?
2. I have noticed that the address does change from time to time, but I think this is related to WebAfrica (if any1 else uses WA, please let me know if u notice DNS changes)
 
Sorry, I can't see the settings of a routers DNS being changed by spyware/malware. Are you sure your network adapter settings weren't changed or maybe the spyware input proxy settings into your browser?
 
I also don't think it's your router. If the problem is sorted after the router DNS changes, good, but it could still be a browser highjack, dodgy proxy settings, changed TCP/IP settings or even changes to your host file.

Scan with Malwarebytes, check proxy settings, check network settings and check host file.

How To
Spoiler: show
Not sure what tools you used, but I trust Malwarebytes to scan for Malware.

Check your Proxy settings in Control Panel > Internet Options > Connections Tab > Lan Settings Button. Only "Automatically detect settings" should be ticked. Other options should be unticked and the fields should be empty.

Check TCP/IP settings in Network and Sharing center > Connection Status > Properties button > double click TCP/IPv4. Both "Obtain IP address automatically” and “Obtain DNS server address automatically” should be ticket. I am assuming you use DHCP from your router.

Also check your host file in C:\Windows\System32\drivers\etc. Open with notepad. Everything should have a # in front of it (commented out)
 
That's what I thought! but I saw the weird DNS addresses on my router and only after changing did the additional web pages stop popping up.

My router password was saved in internet explorer, so I don't know if it was possible for the spyware to access it that way.

Also the spyware I was having issues with was Ad Cash, just in case anyone else had encountered it.
 
Router is odd, never ever seen this before, but for this it is always important to not leave your router on default passwords...

As for the rest, Malwarebytes scan first, Ccleaner 2nd

Then if you still get the pop-ups, check your HOSTS file and clear out entries there.

Lastly, delete your local browser profiles and start them clean (just re-installing does NOT clean this out).

All done after that.
 
ye I went to those extents, I actually cant remember if I checked my HOSTS file. Ill double check that when I get home.
 
You must log in or register to reply here.
Back
Top