kloby Posted May 17, 2011 Share Posted May 17, 2011 Hi, I have problem with one computer in my network, Its sending random name DNS queries and I cant find out what is causing this. In attachment you have screen capture from wireshark at infected comp.. One more thing is that its using increment in local port on computer by 1 every next quarie and those DNS queries dont come to my local DNS at all, I see them on my firewall where they are blocked. All DNS queries are toward ROOT DNS servers only and my computer has right local DNS server setup in network config. I know that this is some kind virus/bot. I scanned computer with SpyBot/SD, trend Micro, Malwarebytes v151,RootkitBuster,MBRCheck,Avira but no luck ! Link to comment Share on other sites More sharing options...
+BudMan MVC Posted May 17, 2011 MVC Share Posted May 17, 2011 Yeah that clearly is not right ;) you could try a simple netstat -anb to see what process is making the connections. If you can not see it with that - I would assume they are UDP and not TCP so you might not be able to catch the connection attempt. Then take a look at tcpview you can get from here http://technet.microsoft.com/en-us/sysinternals/bb897437 To find the process making the dns queries. Since its making so many queries you should be able to catch it pretty easy - it took me a few times to notice the nslookup I was doing and pause the screen. You could use something like netlimiter monitor as well - it will show you the processes making connections http://www.netlimiter.com/download.php Link to comment Share on other sites More sharing options...
kloby Posted May 18, 2011 Author Share Posted May 18, 2011 Hi, First thanx BudMan for help, I solved the problem, but first to comment your sugestions. I tried with tcpview but I couldnt see anything even with pause and yes with netstat you cant see it. Only way I could see something is wrong is my firewall and with wireshark on infected comp. The problem was backdoor "SINOWALL.knf" and it was found/removed with Anti-rootkit utility TDSSKiller. Link to comment Share on other sites More sharing options...
Recommended Posts