Mike Raiford wrote:
> What happens is this: You click on a website (in my wife's case, it was
> a result form a google search, in my case, a bookmark to Tor Olav's
> website) but instead of the site you were expecting you're redirected to
> some bogus virus scanner website, which then tells you you have hundreds
> of infected files and to download their "virus scanner", which is
> actually a trojan horse, that loads up your computer with all sorts of
> malware, then demands you pay for the program to clean your infected
> computer.

I have seen this behavior with viruses, the annoying Vundo strain in
particular. It leaves the DNS entries alone, but installs several
proxies and tries to redirect all traffic through those. DNS appears to
work fine, as I threw a second computer into the network with a packet
sniffer. But when you request a page, that traffic gets sent to the
proxy, which then adds in the pop-up windows and who knows what else.

My best advice to see what is happening is a packet sniffer on a second
computer. If it is a virus, the computer will send a DNS request, get
back an address for the website, and then send packets to the proxy at a
third address. If the packets go to a DNS server that is not the one you
think it should be, also a virus. If neither of those, then you can sort
out which DNS is junk; on the computer, the router, the ISP, or worse.

If both the PCs with the problem are running Windows, I would be looking
at something like the Opachki virus, not DNS poisoning. Specifically
because your computer has not experienced it, if it is on the same
network as your wife's.

Post a reply to this message