Problems with DNS after a rootkit infection

Hi,

I wonder if anyone could help me with this.
I have had an infection with Rootkit.Zero.Access!, Google redirect and bunch of other rootkits and malware.
My system is Windows 7 with SP1.
I have run numerous antimalware, antirootkit, antispyware, antivirus programs and they all detected something and removed it.
I have run: antizeroaccess, adwcleaner, aswMBR, ComboFix, FixTDSS, FixZeroAccess, GooredFix, rootkitremover from Malwarebytes, Sophos, AVG, Kaspersky tdsskiller, Kaspersky online scanner, ESET online scanner, EmsisoftEmergencyKit, Malwarebytes' Anti-Malware, Malwarebytes, Anti-Rootkit, Spy Hunter, Spybot

After all this I have done the usual TCP/IP cleanups and TCP reset:

ipconfig /release
ipconfig /renew
net stop dnscache
net start dnscache
ipconfig /flushdns
netsh interface ip delete arpcache
netsh int ipv6 reset reset1.log
netsh int ipv4 reset reset2.log
netsh int ip reset reset.log
netsh winsock reset
netsh winsock reset catalog

Removed all of my network adapters, uninstalled couple of hidden drivers, refreshed my TCP settings from a different PC with Windows 7 (they are all installed using the same system image), done sfc /scannow as well.

I got to the point where I have internet connection but my DNS resolution does not work.
I can do a nslookup to www.microsoft.com:

C:\>nslookup www.microsoft.com
Server: www.routerlogin.com
Address: 192.168.1.10

Non-authoritative answer:
Name: lb1.www.ms.akadns.net
Address: 64.4.11.42
Aliases: www.microsoft.com
toggle.www.ms.akadns.net
g.www.ms.akadns.net

but I cannot do tracert www.microsoft.com:
Unable to resolve target system name www.microsoft.com.

I do not have a problem doing a tracert from my router to www.microsoft.com or any other devices connected to my router.

On the same machine I am able to use Cisco VPN, Microsoft OCS and Firefox.
Firefox does not have any problems resolving host names to IP addresses. I can access any website I want without any problems. Safari, Chrome, IE do not work however.
Internet Explorer however cannot reach any website. The same goes for Outlook, Windows Live Mail any program that looks for an update on the net. Anything that uses name resolution.
Internet Explorer does not have any proxies set up or any add-ons (actually I have removed every add-on I had).

It looks as if Windows is not even trying to resolve the address and spits out the error message immediately. This is the case for http, https, ftp (works with IP addresses though) any protocol really.
I have the same problem on my wireless connection or on ethernet connection (cable straight to router).

I did post first on the malware forum - Problems with DNS name resolving after Rootkit.Zero.Access! and after some investigation I was told that my system looks now clean and I should post this problem in the networking forum....

Any ideas?
It is driving me crazy - have been trying to fix it for the last week.

 

have you tried performing a tracert to a different site?
This is what I get when I try to tracert www.microsoft.com

C:\>tracert www.microsoft.com

Tracing route to lb1.www.ms.akadns.net [65.55.57.27]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 10.0.0.1
2 9 ms 9 ms 7 ms 10.90.32.1
3 8 ms 12 ms 8 ms dtr03rvsdca-tge-0-1-0-0.rvsd.ca.charter.com [96.
34.100.64]
4 18 ms 11 ms 23 ms crr01rvsdca-tge-0-4-0-3.rvsd.ca.charter.com [96.
34.98.122]
5 15 ms 11 ms 12 ms bbr01rvsdca-bue-2.rvsd.ca.charter.com [96.34.2.6
6]
6 17 ms 13 ms 11 ms prr01lsanca-bue-5.lsan.ca.charter.com [96.34.3.7
]
7 12 ms 32 ms 14 ms 96-34-156-38.static.unas.mo.charter.com [96.34.1
56.38]
8 * 20 ms 21 ms xe-7-0-2-0.by2-96c-1a.ntwk.msn.net [207.46.42.17
6]
9 60 ms 51 ms 43 ms xe-10-0-2-0.co1-96c-1b.ntwk.msn.net [207.46.45.3
1]
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.

I'm assuming hops 10 though 30 are configured not to allow ICMP traffic, because I am still able to access their website just fine.

I would also check your hosts file to make sure there aren't any other entries.
C:\Windows\System32\drivers\etc\hosts

You can try stopping the dnscache service, this will force dns to resolve each time.
net stop dnscache

From my end it looks like network devices and the web server is pretty much locked down so it may not be a good point of reference. I can't even ping it but if you get the ip address you know your dns is working.

C:\>ping www.microsoft.com

Pinging lb1.www.ms.akadns.net [65.55.57.27] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 65.55.57.27:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Have you tried to reinstall Safari, Chrome, or IE?

 

Hi,

Tracert does not work to any site - like I said system does not even try to make an effort - I get an error message immediately: Unable to resolve target system name....

Do not have anything in my hosts file - just the usual 127.0.0.1 entry.
I have stopped, restarted the DNS cache service numerous times.

Ping reacts the same as tracert or pathping and comes up with an error immediately:
Ping request could not find host....

I have tried reinstalling IE. Don't see the point of reinstalling Safari or Chrome.
The problem is obviously with Windows - either driver, dll or maybe some setting in the registry that prevents from resolving the IP address.
I guess Firefox uses its own method of resolving the IP address and that is why I can use it.

 

I would check and compare the settings in Firefox and IE to see if there are any differences.

Firefox Network Settings
Tools > Options > Advanced > Network (tab) > Connection Settings (button)

Internet Explorer
Tools > Internet Options > Connections (tab) > Lan Settings (button)

Another thing to try is the Reset Internet Explorer settings feature of IE.
Tools > Internet Options > Advanced (tab) > Reset (button)

Do you have any other computers on your network? You could try to see if your system is resolving local host names to ips by performing a ping.
C:\> ping <hostname>

 

I do not have any settings on connection for IE or Firefox. Standard settings on both. No proxy.
But like I mentioned this is not just a problem with IE. This is a system wide issue. Ping, tracert, Outlook, AD connection, ftp or any protocol don't work when using host names.

For example this is a ping to my router:

C:\>ping -a 192.168.1.10

Pinging www.routerlogin.com [192.168.1.10] with 32 bytes of data:
Reply from 192.168.1.10: bytes=32 time=2ms TTL=255
Reply from 192.168.1.10: bytes=32 time=1ms TTL=255
Reply from 192.168.1.10: bytes=32 time=2ms TTL=255
Reply from 192.168.1.10: bytes=32 time=1ms TTL=255

Ping statistics for 192.168.1.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms

C:\>ping www.routerlogin.com
Ping request could not find host www.routerlogin.com. Please check the name and
try again.

 

I have also tried adding the following line to my hosts file:

173.194.33.56 www.google.co.uk

and then pinging:

C:\>ping -a 173.194.33.56

Pinging www.google.co.uk [173.194.33.56] with 32 bytes of data:
Reply from 173.194.33.56: bytes=32 time=215ms TTL=49
Reply from 173.194.33.56: bytes=32 time=217ms TTL=49
Reply from 173.194.33.56: bytes=32 time=216ms TTL=49
Reply from 173.194.33.56: bytes=32 time=215ms TTL=49

Ping statistics for 173.194.33.56:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 215ms, Maximum = 217ms, Average = 215ms

C:\>ping www.google.co.uk
Ping request could not find host www.google.co.uk. Please check the name and try
again.