News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
June 19, 2013, 01:57:41
linktree cexx.org - Support Forums  >  Spyware-Related Stuff  >  Report New Spyware Here
linktree Topic: DNS Changer NameServer = 85.255.112.204 , 85.255.11
Pages: [1]   Go Down
« previous next »
  Print  
Topic: DNS Changer NameServer = 85.255.112.204 , 85.255.11  (Read 3013 times)
0 Members and 1 Guest are viewing this topic.
« on: April 13, 2009, 02:12:48 »
Unzy
Guest
* A variant of the wuauserv %fystemroot% hijack

Symptoms :

-Attacks your ISP DNS settings
-IE & Google redirects
-Slow system
-Disables various updates : Antivirus, WMP etc
-Disallows several security programs to run or open

Entries in Hijackthis :

O17 - HKLM\System\CCS\Services\Tcpip\..\{802088D3-E982-48DE-8D14-4633A35B2A64}: NameServer = 85.255.112.204,85.255.112.90
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.204,85.255.112.90
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.204,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.204,85.255.112.90

Again, is installed in the system32\drivers folder via a hidden .sys

Solution :

-Use GMER to identify the hidden .sys file (Rootkit)
-run COMBOFIX (make sure you install the Recovery Console as well, as the fix results in an internet loss, you have to restore your normal internet settings)
NOTE : If combofix doesn't run, rename the combofix.exe to whatever you want and try again
-run MBAM, it will then detect and remove some leftover strings

Hope this helps
« Last Edit: April 17, 2009, 02:31:55 by Unzy » Logged
 
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines Page created in 0.636 seconds with 17 queries.