I usually have no problem dealing with trojans and malwares but this one proved to be the hardest one yet. Because it operates in ways we don't expect. Usually trojans operate within your PC but what if the exploit is hosted somewhere else on the web.
Woah! This took a week. Thanks to the people who commented on this blog. I could not figure out this solution without all of you who bounced your ideas here.
Anyway, lets get rid of it.
1. In the Windows menu go to Start>Run
2. Type cmd
3. This will fire up the command window
4. Type ipconfig /all
5. This will display the actual configuration of your LAN card. Pay particular attention to the DNS entry. In my PC I got three entries: 0.255.122.15 85.255.112.156 1.2.3.4 Two of these entries are not correctly formed while 85.255.112.156 is the DNS address of the exploiter. A proper DNS entry given by your ISP should look something like - 58.69.254.143
6. Type ipconfig /release
7. Then type ipconfig /renew
8. Then do an ipconfig /all again to check that your DNS settings have been corrected.
This should be okay if you are directly connected to the DSL modem but what if you are connected to a router. Then you have to correct the settings in your DSL router first before you correct the settings in your LAN card. In my case I have a Linksys router. What I did was fireup the browser based administration module of Linksys. And then I had to set all the static DNS settings to 0.0.0.0. Then I also did a DHCP release and DCHP renew there. And then I corrected the entries in my LAN card. After that you can use your browser normally. You won't be needing the NoScript add on anymore.
So how did the attack happen?
I must have gotten a trojan from one of the websites I visited. That trojan then modified the DNS settings of my LAN card and even my DSL router. When the advertisements started popping up I did malware and trojans scans. I was able to remove them but it was already too late. My DNS settings have already been modified which was the last thing I expected a trojan would do. What happens then is that whenever I visit a website. The exploit DNS entry will direct me to popup.adv.net and mtn5.goole.ws server first before it redirects me to the website I wanted to visit originally. It then fires advertisements at random times. It is solved now.
But we all got one big problem. During the exploits we were using hosted email clients and some of you probably visited your bank or credit card sites. And during that time our traffic were being filtered by an exploit server. Ouch! Atleast now you know and you can start taking the necessary steps incase someone would try to abuse your important accounts.
Related Links:
How to Block Adwares using Firefox NoScript extension
How to Block popup.adv.net and mtn5.goole.ws
Woah! This took a week. Thanks to the people who commented on this blog. I could not figure out this solution without all of you who bounced your ideas here.
Anyway, lets get rid of it.
1. In the Windows menu go to Start>Run
2. Type cmd
3. This will fire up the command window
4. Type ipconfig /all
5. This will display the actual configuration of your LAN card. Pay particular attention to the DNS entry. In my PC I got three entries: 0.255.122.15 85.255.112.156 1.2.3.4 Two of these entries are not correctly formed while 85.255.112.156 is the DNS address of the exploiter. A proper DNS entry given by your ISP should look something like - 58.69.254.143
6. Type ipconfig /release
7. Then type ipconfig /renew
8. Then do an ipconfig /all again to check that your DNS settings have been corrected.
This should be okay if you are directly connected to the DSL modem but what if you are connected to a router. Then you have to correct the settings in your DSL router first before you correct the settings in your LAN card. In my case I have a Linksys router. What I did was fireup the browser based administration module of Linksys. And then I had to set all the static DNS settings to 0.0.0.0. Then I also did a DHCP release and DCHP renew there. And then I corrected the entries in my LAN card. After that you can use your browser normally. You won't be needing the NoScript add on anymore.
So how did the attack happen?
I must have gotten a trojan from one of the websites I visited. That trojan then modified the DNS settings of my LAN card and even my DSL router. When the advertisements started popping up I did malware and trojans scans. I was able to remove them but it was already too late. My DNS settings have already been modified which was the last thing I expected a trojan would do. What happens then is that whenever I visit a website. The exploit DNS entry will direct me to popup.adv.net and mtn5.goole.ws server first before it redirects me to the website I wanted to visit originally. It then fires advertisements at random times. It is solved now.
But we all got one big problem. During the exploits we were using hosted email clients and some of you probably visited your bank or credit card sites. And during that time our traffic were being filtered by an exploit server. Ouch! Atleast now you know and you can start taking the necessary steps incase someone would try to abuse your important accounts.
Related Links:
How to Block Adwares using Firefox NoScript extension
How to Block popup.adv.net and mtn5.goole.ws
Comments
It might be better that people
(1)actually open the internet-connection adapter and go to TCP/IP properties and manually remowe the hijacked DNS server address, then
(2) execute the netsh command that was suggested in the blog entry where this blog entry comes from (the original post)
Cheers:
P.
because i could find anything weird in my router. now im finaly free from these spammers!
I had the same problem for the last few days and yesterday I finally fixed it.
I was unable to update any antivirus or antispyware program including Windows Update. And just after I would close Windows Update I would get this pop-up window with mtn5.goole.ws in the title. Pretty annoying.
What I did yesterday is that I disconnected from Internet, shut down my router and reset it.
Then I run Malwarebytes’ Anti-Malware which found 14 entries. Most of them had name Trojan.DNShijacker and Trojan.Vundo.
I removed all of them successfully, reboot the system, scan it again, reboot again and then turn on the router and connect on Internet again.
Finally I was able to update my antivirus and Windows Update and hopefully it means I cleaned my PC from this problem.
thanks for your help. Your solution work.
A bientôt
http://www.tips29.com/2008/11/how-to-remove-mtn5goolews-and.html