Local DNS Hijack

Greetings folks,

Hoping for some assistance on an issue facing one of my clients that has me stumped.

2 people at a company have reported occasionally having web searches redirect to strange addresses. It's been happening for 2-3 weeks. I've checked, and it looks like there is a secondary DNS server added that's likely malicious. This was seen on both.

Other than that, no other behavior is reported. The installed EDR has been silent, and a MBAM full scan on the first user's computer has come up clean. 

DNS should be coming from the firewall which afiak is fine and secure, nothing strange. I'm hoping someone can check the attached frst logs and advise if there is any evidence of local infection that I've missed.

Thanks!

(I've censored the logs a touch, if a fixlist is provided I'll edit the user and company name back in, if required.)

Darn, I double posted. Can someone delete the other one please?

Edited by Chris Cosgrove, 15 April 2024 - 06:26 PM.
Duplicated post deleted.

Hi syne0,
My name is Dennis and I will assist you with your computer problems.
Please read through these guidelines before we start.

• Back up any important data, as a precaution, before starting this process.
• If you are unsure about anything then please ask. This makes the task much easier in the long run.
• Do not run any other tools or make changes to your system during the removal process.
• Please do not start a new topic and keep all replies in this thread.
• Follow the instructions in the sequence advised.
• Copy and paste the logs into the reply. I will advise if anything needs to be added as an attachment.
• Here at Bleeping Computer we are mostly volunteers, so please be patient with us. I’ll try to respond within 24 hours. You will be advised if it is expected to be longer than 48 hours.
• Please let me know if you are going to be delayed in responding. If you do not reply after 5 days, I’ll assume you do not want to continue and will close the topic.
• Sometimes things might seem to be resolved, but there may still need to be more checks necessary, so please wait until I give the all clear.

Please give me some time to examine your logs and I will get back to you as soon as possible.

Dennis

Although there are no obvious signs of malware, I have some questions and observations for your consideration.
1) Could you please advise more information on the secondary DNS server that you refer to.
Also are you aware of this IP address being present?
Tcpip\Parameters: [DhcpNameServer] 89.208.105.113
It appears to be Aeza International Ltd - Netherlands
2) Are the redirects to the same address and if so what is that address? (Please don't post as a link, in case other users click on it).
3) Has this been happening on the same browser, for both users? I would suggest clearing the cache(s) as a precautionary measure.
We could run a more powerful clean-up, which will empty the following directories:

•     Windows Temp
•     Users Temp folders
•     Caches, HTML5 storages, Cookies and History for browsers scanned by FRST except Firefox clones
•     Recently opened files cache
•     Discord cache
•     Java cache
•     Explorer thumbnail and icon cache
•     BITS transfer queue (qmgr.db and qmgr*.dat files)
•     WinHTTP AutoProxy cache
•     DNS cache
•     Recycle Bin

However this may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
I'll await your confirmation before running this.
4) There have been some policy changes made. Are you aware of these?

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall: Restriction <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
"C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}" was unlocked. <==== ATTENTION
"C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}" was unlocked. <==== ATTENTION

5) Do you recognise this?

HKU\S-1-5-21-2814321435-3934866655-2077815162-4663\Control Panel\Desktop\\SCRNSAVE.EXE ->

6) There are no restore points recorded, so let's do this next.

• Right click on the FRST icon and select Run as administrator.
• Highlight all of the information in the text box below then hit the Ctrl + C keys together to copy the text.
• It is not necessary to paste the information anywhere as FRST will do this for you.

Start::
SystemRestore: On
CreateRestorePoint:
Reboot:
End::

• Click on the Fix button just once and wait.
• Please make sure you let the system restart normally.
• When it's finished FRST will generate a log in the location you ran the tool from. (Fixlog.txt).

Please copy the contents from this text file and paste into your next reply.

7) Then please run a scan with AdwCleaner as follows.
Please download AdwCleaner.

• Close all open programs and browsers
• Right click on the icon and select Run as administrator
• Click Scan Now
• When the scan has finished AdwCleaner shows you all detected PUPs and adware.
• If any are found, select them and click Quarantine. (I would suggest that you do not select Pre-installed applications for now, or any other items you wish to keep.)
• AdwCleaner prompts you to save and close your work before continuing. Click Continue.
• After cleaning, you are prompted to restart your device. Click Restart now to complete the cleanup process.

Once your computer has restarted ...

•     If it doesn't open automatically, please start AdwCleaner.
•     Click on View Log File button (This log can also be found in the Log Files tab).
•     A Notepad file will open containing the results.
•     Click Skip Basic Repair (if the option appears)
•     Please post the contents of the file in your next reply.

Edited by dennis_l, 16 April 2024 - 10:22 AM.

Hey Dennis,

ADWCleaner scan came back clean. The other entries you pointed out were benign or expected.

When I went to remove the DNS Server from the computer I discovered that it was actually inheriting it from the firewall (which wasnt documented). It looks like the firewall admin was WAN accessible with default credentials, and someone added the malicious DNS server directly into the firewall DNS.

Thank you for your time and effort! I think we are OK to close this since I've confirmed it's not a local device issue.

You are most welcome.
I am pleased to hear that the issue is resolved now.

• FRST can be removed as follows:
• Right-click on FRST64.exe and select Rename.
• Rename the file to Uninstall.exe.
• Double-click on Uninstall.exe.
• FRST and its files/folders will now be deleted.
• A reboot may be needed to complete the process.

These articles offer good advice and information for the future.
Keep your computer secure at home
How your system gets infected.
Ransomware advice.
Choosing Secure Passwords.
Thank you for contacting us at Bleeping Computer.

Dennis

I am closing this topic, as the issues appear to have been resolved.
If you need to continue, would you please send me or any Moderator a Personal Message (PM), advising that you would like it to be re-opened.
Please include a link to the topic in the Personal Message.