Hi,

I am having trouble with what appears to be a DNS hijack..
At first it looked like I got some nasty IE BHO that redirected me to some page saying that the domain I typed in has expired..
SpyBot SD found nothing Sophos does not complain.. and the same thing happened in every other browser I tried to use..

To make things even more interesting this does not happen all the time..
I did a nslookup and it resolves all the domains (even non-existing) to the same IP (ip changes during the day)
A reverse lookup on that IP shows it is a subdomain of ev1servers.net

Like this one:  ev1s-67-15-35-183.ev1servers.net (ip in this case was 67.15.35.183)

Any ideas?

Posted on 2005-05-12 02:28:03 by Azrim
That's easy to fix, even if it is DNS poisoning. Find another ISP in your area (city/country/whatever), and get their DNS server ip number.  Under the DNS settings on your TCP/IP adapter insert his number. That way you will not be using your ISP's DNS by default.
Posted on 2005-05-12 06:19:01 by sluggy
The thing that confuses me is: I get one IP when doing a nslookup and another one when doing a ping on some domain.

ping resolves to the fake/spyware, nslookup returns the real one.

So it is not just DNS poisoning (ipconfig /flushdns) it could well be some spyware ..
(only my machine in the network is having this trouble, all machines share the same dns settings)

I have no idea where to look.

Posted on 2005-05-16 04:29:22 by Azrim
Hey Azrim have you tried MS anti spyware here's a link

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Hope it helps
Posted on 2005-05-16 05:01:25 by Ninja_469