Remove static DNS entries
I have cleaned a Vista client pc after a virus attack. Now the only thing that remains to solve is that common domains such as google.com are redirected. Running "ipconfig /displaydns" shows a lot of domains and the rouge ip they are redirected to, but I can't figure out how to remove them. Running "ipconfig /flushdns" does nothing, and the entries persists after reboot. I know this sounds like entries in "C:/Windows/system32/drivers/etc/hosts", but that file doesn't even exist (should it?). Looking in "HKLM/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters", the "DataBasePath" value reads "%systemroot%\system32\drivers\etc" as expected. I have tried searching the web, but only found references to the "hosts" file. Is there any alternative paths where the infected "hosts" file could be or some other source that does the same thing? Thanks
December 3rd, 2011 9:29am

Your Hosts file location is correct and the registry key pointer is correct. Check this registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix. The (Default) field in the right pane should contain http:// It may be suffixed with something like ehttp.cc/, just change it and restart the computer. If it is still misbehaving, download HijackThis and delete any redirection entries beginning with 01, 13 and 17.
Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2011 2:58pm

Thanks, never heard of HijackThis, but seems like a great tool! It worked great on this problem and will probably save me hours when fixing problems in the future.
December 3rd, 2011 6:10pm

I’m glad HJT worked. 1. As you intend to use it permanently, here are two useful sites: System Lookup can look up each line http://www.systemlookup.com/lists.php List all the relevant sections of HijackThis http://www.bleepingcomputer.com/tutorials/tutorial42.html#RDiag 2. Here is another useful tool that can help you start an infected PC by running an offline scan to help identify and remove rootkits and other malware, it's Microsoft’s Standalone System Sweeper. Although it’s still at the beta testing stage, it runs very well indeed. Download the appropriate 32-bit or 64-bit version here https://connect.microsoft.com/systemsweeper and burn a CD. Boot the infected computer from the CD and run a full scan. Anyone who repairs viruses, rootkits and the like should use this program. It also has a nice Windows interface, unlike the clumsy Linux equivalents. If the CD hasn’t recently been created the definitions database will be out of date and could miss the malware. However, if the infected machine has a wired internet connection, click Help at the top and choose Download to update the definitions before running the scan.
Free Windows Admin Tool Kit Click here and download it now
December 4th, 2011 3:21am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics