RapportService: "domain is blocked" by OpenDNS when use WiFi
Franklin MacIntosh
RapportService (for secure online banking) and my use of public WiFi.
When I accessed the gmail site with both Internet Explorer 8 and
Firefox 3.6.3, I got directed to:
http://block.opendns.com/?url=786674771572808072777015688078&ablock
That site gave the message:
This domain is blocked
This site is categorized in: Webmail
Conact your network administrator.
Facebook gives a similar message. These did not happen when used my
home WiFi. Much web searching reveals two possible causes. The first
is that I inherit someone else's OpenDNS restrictions because of
DHCP. When I accessed the gmail site with both Internet Explorer 8
and Firefox 3.6.3, I got directed to:
http://block.opendns.com/?url=786674771572808072777015688078&ablock
That site gave the message:
This domain is blocked
This site is categorized in: Webmail
Conact your network administrator.
Facebook gives a similar message. Much web searching reveals two
possible causes. The first is that I inherit someone else's OpenDNS
restrictions because of DHCP. I used "netsh interface ip set dns ..."
to set satic primary and secondary DNS's to google's DNS's. I
confirmed this using "ipconfig /all". I still got the error
messages. Note that the DNS addresses were not set to OpenDNS to
begin with. They were initially:
24.200.241.77: dns2.videotron.ca
24.200.241.37: dns1.videotron.ca
This did not solve the problem, so I set the DNS servers back to
dynamic (they eventually reverted back to their initial addresses).
I tried to renew my IP address, but I always got the same one back.
The second possible cause was a virus. A week ago, I had cleaned out
the malware "Antivirus suite" via these procedures:
http://www.spywareremove.com/removeAntivirusSuite.html
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite
http://www.myantispyware.com/2010/03/31/how-to-remove-antivirus-suite-uninstall-instructions
For the last one, I didn't actually use HijackThis, but I did search
the registry for strings shown (sysguard, ftav, and tssd) and found
none. Somewhere along the line, I also scanned the hard drive with
updated Symantec corporate AV and Malwarebytes' Anti-Malware, with the
latter finding and excising avtu.exe, and registry remnants not caught
above.
I suspect that Malwarebytes didn't catch those remants when I was
following the above website because it was scanning from an account
with administrator rights, while the account that was infected (and
the account that was generating the OpenDNS messages) was a user
account. This led me to suspect that only the user account was
affected by the OpenDNS blockages. True enough, when I logged in with
another user account, the blockages did not occur. This indicates a
problem with the first user account. However, since I had done
everything possible to erase all vestiges of the virus (including
confirming that all processes in the task manager were known and
legitimate), I had my doubts that it was malware. I also have a Kerio
firewall. Other indications that it wasn't as simple as malware was
the fact that I could access WiFi at home perfectly fine before coming
to the hotel, and the fact that the problem doesn't exist with wired
Ethernet (which I eventually tried, using a cable from the hotel
staff).
That's when I noticed RapportService.exe, and checked it a second
time. This time, I remembered that the service was only recently
installed, and only for the account that was experiencing the OpenDNS
blockage. Indeed, when I turned off RapportService, the problem went
away (I had to restart Firefox). When I restarted RapportService, the
problem came back (after Firefox was restarted).
This has already been reported to Trusteer, and I am only putting this
out there so that someone else having this problem can solve it with a
simple google.