Strange popups problem

The DNS client is started and set to automatic.

 

emperordarius,

You can try and stop DNS Client, though I don't think that will change anything. But, just hang on in there, have to go now, but I'll return later. Hopefully I will think of something smarter.

Cheers for now,

 

I have another idea. I'll try to monitor that path with Process Monitor and see which proces modifies it. Though I don't know what to put in the filter options. I put the path to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer

But when I access it with regedit process m. doesn't show anything.

 

Just a guess here but it sounds like DNS poisoning.If the server has been poisoned this can let the malware author to redirect you any where.Now how to fix it I honestly not sure of yet.

 

Hi,

emperordarius, you are monitoring the wrong key, here you can find change related to DNS :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\"GUID of your network interface"\

Why not using OpenDNS ones

Regards,

MaB

 

If it really is a case of DNS poisoning, this can easily be checked by skipping DNS lookups.

emperordarius, find out the IP address of the site that gives you popups (I can of course assist, you just need to give me the URL of the site) and enter this address in your browser instead of URL. If you don't get popups anymore, than DNS servers are poisoned/pharmed. If popups are still there, then the problem lies elsewhere.

 

Thanks seer for the info,I am Neive in this area and thats Good info for myself to keep in mind.

 

DNSchangers are usually rootkits. Maybe you can dig it out with Rootrepeal http://rootrepeal.googlepages.com/ Be aware that they often replaces legitimate Windows files.

 

emperordarius, after your cleaning use OpenDNS (tutorial) as suggested by MaB69. Don't forget to password-protect your router after.

thanatos

 

Oh, now I understand.

The wireless connection I'm not using is not mine, therefore I cannot do anything.
I guess that the problem resides in the router, not in my computer, and that makes me feel a lot better. About the popups, I guess I have no choice but use YesPopups to block them all, but in the end it's the only way to use the internet(since my subscription is over).

BTW:RootRepeal found nothing(except for my hidden p0rn ), so I guess that my computer is really clean.

Does OpenDNS prevent those popups?

 

why don't you reset your router then use those sysinternal programs to watch what happens on your computer and connections to your router?

 

I doubt OpenDNS will make a difference if the trojan is still there. You can reset your router, use OpenDNS and password-protect your router but this is just like sweeping dusts under the carpet. Be warned though that a variant of this trojan can bypass a password-protected router.

You have Comodo right? Go to D+, add this to "My Protected Registry Keys"

[HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces]
"NameServer"

Wait for the DNSChanger to strike.

Here are some benefits of OpenDNS including a parental filter for you . If you have an account go to your dashboard.

thanatos

 

Just in case anyone missed those -

Cheers,

EDIT: emperordarius, you cannot use OpenDNS if you cannot access the router. As the IP addresses of DNS servers are entered in this (inaccessible) router, you would have to live with these popups, and, as you said, use a good popup blocker.

 

Actually it looks like I can. I disabled the option to automatically select a DNS server (which was probably the cause why the infected server was selected) and set my DNS server to the OpenDNS one. Now the popups are gone both in FF and IE, and the malicious DNS is not reappearing in the registry anymore. The problem looks resolved. I may post back if the thing reappears. If I get the chance to talk to the wireless' owner, (apart from saying to keep the connection open a bit more ), I'll alert him of the DNS infection.

Thank you all for your support.

 

Then DNS servers are not fixed within a router, which, in this case is a good coincidence for you.

Cheers,

EDIT: Just an example from my router settings -

 

OpenDNS + Delete Host file, + If the Network has Language settings, set to block all Foreign websites.