Diary of a Network Geek

The trials and tribulations of a Certified Novell Engineer who's been stranded in Houston, Texas.

5/29/2011

DNS Redirect Attack

Filed under: Geek Work,News and Current Events,Rotten Apples,The Dark Side — Posted by the Network Geek during the Hour of the Horse which is around lunchtime or 12:34 pm for you boring, normal people.
The moon is Waning Crescent

I’m seeing traffic about this, so I thought I’d write up what I found.

I tweeted about a strange DNS-based network/malware attack that I saw on Friday, but, at the time, I didn’t see any interest, so I didn’t go into any real details.  Besides, I may be a hardcore geek, but I do have a life and was going out.  But, now, I’m seeing search engine traffic hitting my blog apparently looking for details, so I thought I’d describe the attack, as I saw it.

First of all, let me mention that I’ve seen a higher-than-usual occurrence of malware infections the past couple of weeks.  I mean, it’s a hazard of my business that, sooner or later, people are going to get infected, either through bad behavior or by accident, but the past three weeks or so I’ve seen way more problems like that than is even remotely normal.  So, bearing that in mind, I’ve been on a kind of high-alert status looking for any malware problems, but this was something new.

It started with someone from another location, who’s on a totally, physically separate network which uses a different internet service provider to connect to the Internet, calling me with a problem.  It was, apparently, a recurrence of a virus he had previously that we cleaned.  He described being taken to a webpage that featured a maroon graphic background with a white icon of a policeman holding up his hand to indicate “stop”.  The text on the page gave a message that said the user’s browser was not the correct version to access the page and that an upgrade was required.  Helpfully, it provided a button to press to receive the “upgrade”.  Obviously, the “upgrade” was an infection.  (You can see an example of the graphic here.)  Thankfully, I trained my users well enough to be suspicious of these kinds of things and no one who reported this actually clicked on it.

About the same time this happened, I noticed that my iPhone wasn’t connecting to the wifi hotspot I have setup in my office.  I checked the configuration and noticed that the DNS servers listed were wrong.  In fact, they’d all been replaced with a single DNS server; 188.229.88.7  Obviously, that seemed suspicious to me, so I opened a command prompt on my PC and did a tracert to see if I could figure out where this server was and, from that, why it had become the default DNS server on part of my network, despite my having very carefully configured totally different DNS servers that I knew were safe.  It looked like the tracert results showed me a network path that led out of the country somewhere, which was, to me, very suspicious.

Before I could really pursue that, though, I got another call from a user at my location reporting the exact same error message and graphic, but going to a totally different website! I went to his computer and checked the IP configuration and found that his DNS servers had been replaced by the rogue server as well.  I refreshed his network config, several times actually, and the DNS servers reset, but, when I thought to check some other people in the same area of the building, his configuration set itself back to the rogue DNS server!  So, I reset the local network equipment to clear the DNS cache, and whatever other caches may have gotten poisoned by this attack, and the problem seemed to go away.  Unfortunately, whatever had caused the compromise was still active and seemed to poison the DNS cache and the DNS configuration again.  It did seem sporadic, though, as if the ISP was trying to correct the issue at their end.

As far as I can tell, the attack actually seemed to be network-based in some way.
At least, I couldn’t find any computer on my network that was infected with anything that AVG, Norton Anti-virus, or Malware Bytes could find.  It is, I suppose, possible, that this attack was so new that no of those programs had an updated detection pattern for it, but, based on the lack of detection, and the fact that it happened on two physically separate networks almost simultaneously, leads me to believe that this was a network-based attack.  I suspect that an ARP cache or DNS cache or something similar was attacked and compromised on a major network router somewhere.  Possibly one of the edge routers at a trans-continental connection somewhere.  From the tracert results I had, it looked like it was the East Coast somewhere, leading to Europe via London to France, though I could be wrong.  It’s possible that was a blind alley meant to throw researchers off the trail in some way.
Also, as of this writing the rogue DNS server seems to be out of commission, though that might change, too.

The Internet is a wild and wooly place, ladies and gents, and you can’t always count on your friendly, neighborhood Network Geek to watch over you and keep you safe!  So, be careful out there!
(And, if you’re a fellow professional who’s seen this, too, leave me comments and tell me what you found!)
UPDATE: Looks like the server is still active, but my ISP has blocked DNS traffic to it, to fix the problem.
Also?  I hate the bastards that do these things.  I hate every last one of the little rat bastards!

UPDATE/FOLLOW-UP: So, it seems like a lot of people have been effected by this problem!
Check the comments for what other folks did and tools they might suggest to help with the problem.  Frankly, I wish I’d had known about those tools when I started my day!  Yes, I was *totally* wrong when I said it looked like it was coming in from outside the routers.  It was, in fact, *several* PCs that were infected with whatever it was.  I found it, much like at least one commenter, by checking the results of “ipconfig /all” in a command prompt.  I noticed that the DHCP server listed in the config was NOT my actual DHCP server!  So, as I went from machine to machine, I saw several PCs that kept coming up as DHCP servers.  I used Malware Bytes to scan the infected PCs and it seemed to clean them off.  At least, for now.  I’m not sure what I’ll find in the morning.
Apparently, Friday, when it looked like the problem was getting cleaned up, it was really just people shutting their workstations down early for the long weekend.
In any case, as at least one commenter has mentioned, it looks like updates for the various scanners should be coming out this week, so keep updating your antivirus and antispyware programs and scan your networks!  Well, scan them more completely and carefully than you already have.
And, as always, if you have any new information or suggestions for tools to clear up the issue, please, leave them in the comments!

45 Comments

  1. Our network was infected last friday with this. The only solution for now is to set static IP’s and DNS for all 80 computers in the network.

    Comment by C.P — 5/30/2011 @ 12:34 pm

  2. Well, our ISP has been on it and the problem seems to be at least partially corrected. The biggest problem has been that it was launched right before a long weekend so most Helpdesks aren’t open to deal with the problem.

    Comment by the Network Geek — 5/30/2011 @ 1:48 pm

  3. Ran into an instance of this infection today, still trying to clean it out. Another person seems to have run into a similar problem here:

    http://bugsbane.net/wp/?p=18

    Comment by sirbleh — 5/31/2011 @ 9:59 am

  4. I’ll write an update to this later today, but it came back at my place, too.
    If you check the IP config via a command prompt, using “ipconfig /all”, you’ll notice that the DHCP sever listed is NOT your correct DHCP server! I believe that the DHCP server listed on effected machines is, in fact, the machine which is infected with the virus. So far, it seems like Malware Bytes is removing it, but I’m still fighting it at my office, too.

    Comment by the Network Geek — 5/31/2011 @ 12:37 pm

  5. Had that here this morning. Upon checking the ip settings on the pc’s affected, found that it had not only changed the DNS server to 188.229.88.7, but it also changed the DHCP to a user’s laptop’s IP address. After identifying the laptop and disconnecting it from the network, the issue could be fixed on all other affected pc’s by either rebooting them or just doing the repair option in network settings. All Windows XP SP3 machines involved. Am in process of reimaging the one laptop that seems to have started this.

    Comment by Jay Rogers — 5/31/2011 @ 4:55 pm

  6. Yep, when I get home from the office, I’ll add a final update to this on how I tracked it down at my office. Similar to what you saw, but complicated by the fact that I have over 150 users and no help at my office. Took me all day.

    Comment by the Network Geek — 5/31/2011 @ 4:59 pm

  7. Would be interested to find out how it was able to take the DHCP service away from the main DHCP server here. This facility only has about 100 users but is subnet of much larger domain. The DHCP service on the server was still running and no changes made on the server.

    Comment by Jay Rogers — 5/31/2011 @ 5:08 pm

  8. We saw this today at one of our sites where many users were getting poisoned DHCP information and had trouble accessing all network resources. We first blocked all outbound traffic to 188.229.88.7 and then used the Rogue DHCP Server Detector (http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx) to find the unauthorized DHCP servers (infected workstations) and remove them from the network. Interestingly, in one case the user who had an infected machine didn’t even notice anything was wrong.

    From my research and contact with Trend Micro support today, this is a relatively new attack and all the security vendors are inundated with reports and the first definitions are expected out late tonight or tomorrow.

    @Jay Rogers:

    It is possible for multiple DHCP servers to exist in a given subnet, whether on purpose or by accident.

    A client machine needing an IP address from DHCP will send a DHCPDISCOVER message to 255.255.255.255 (broadcast to the entire local subnet). In general, any DHCP server that sees the message will respond with a DHCPOFFER message to the client. When the first DHCPOFFER message is received by the client, the client will respond with a DHCPREQUEST message. This message is broadcast, but contains the MAC address of the server that sent the DHCPOFFER. The server acknowledges the DHCP assignment with a DHCPACK message sent to the client. The DHCPACK message is the message that contains the configuration information such as the IP address, subnet mask, gateway, and DNS servers.

    With proper planning, it is possible to successfully run two DHCP servers in the same subnet. The DHCP servers all have to dole out addresses from non-overlapping scopes and each scope must be large enough to supply addresses for all clients that might request them (rather than just the number of workstations divided by the number of DHCP servers). However, most of the time multiple DHCP servers in the same subnet is an accident or, as in this case, an outright poison attack and it causes problems such as duplicate IP addresses or traffic being routed to the incorrect location.

    In your case the DHCPOFFER message from the infected workstations/rogue DHCP servers is simply arriving at the requesting client machines before the DHCPOFFER message from the real, authorized DHCP server. It has nothing to do with a problem with the real DHCP server.

    Comment by Scott Sander — 5/31/2011 @ 5:55 pm

  9. @Network Geek:

    Saw your new update. I highly recommend that everyone immediately starts blocking all incoming traffic from and (more importantly) outbound traffic to both 188.229.88.7 and 188.229.88.8. This will help prevent the attack from getting worse by users clicking the “Browser Update” button at the page displayed when you try to go anywhere with a web browser with the DHCP poison.

    I’ve heard nothing new from Trend Micro. I’m actually working through an intermediary on that, so it is possible there is an update I have not received yet.

    Some colleagues of mine have reported success by using Kaspersky’s TDSSKiller and then doing a full scan with Malwarebytes’ Anti-Malware, but I personally don’t think this fully eliminates the infection. Instead, for the machines that have the rouge DCHP servers or are otherwise exhibiting signs of a virus infection (excluding those that are simply having networking problems due to the DHCP poison), I have been popping in new hdds and reimaging the machines and then running dban against the old hdds to ensure they are completely wiped.

    Again, that Rogue DHCP server finder I posted a link to above has been a significant help in isolating the infected machines. It’s a lot easier to use that and see a list of all active DHCP servers and take them out in one shot than to keep doing an ipconfig /all and tracking down the rogue DHCP servers one-by-one.

    Comment by Scott Sander — 5/31/2011 @ 10:10 pm

  10. I have found that if you edit the registry at HKEY_Local_Machine\system\currentcontrolset\services\tcpip\parameters and the various interface keys. Look for DHCPnameserver it will have a value equaling 188.229.88.7. Change it to anything you want, usually your router’s IP address. After that change the permissions of the “parameters” key and remove the “full control” ability for all user profiles, leave system and network service. That will keep the virus from changing it back.

    Comment by Dan Lauritzen — 6/1/2011 @ 11:07 pm

  11. Removal is an easy process for this infection, also known as “QuestDns”. On any machine experiencing the fake “Browser Upgrade” warning, run “ipconfig /all” and note the DHCP server. This is likely not the router, but another host on your LAN that has become infected with this nasty little trojan.

    Find the workstation or other host that the IP you obtained reflects, and go to that machine. Download RKill(http://www.bleepingcomputer.com/download/anti-virus/rkill) and run it, this will terminate the DNS server from that host.

    Download Malwarebytes AntiMalware(MBAM) Free version(http://www.malwarebytes.org/products/malwarebytes_pro), Update, and perform a full scan. Remove any infections, but DO NOT reboot when prompted.

    Download a copy of Temp File Cleaner(http://software.addpcs.com/tfc/index.php), run it and let it remove all temporary files. This will delete system restore point, windows update caches, and so on. You want all of this cleared out prior to rebooting to mitigate any potential reinfection.

    NOW Reboot.

    Once you’ve rebooted, go to the original affected hosts, and run “IPCONFIG /release” and then “IPCONFIG /renew”. The machine should get it’s IP from the correct server at this point, and be able to browse the web.

    As a note: you should still scan any machine that experienced the fake webpage with Malwarebytes to be sure it is clean, and run the Temp File Cleaner before rebooting(after the MBAM scan).

    (Alternatively, you can do an IPCONFIG /release and /renew after disconnecting the fake DHCP server from the network, if you need to get back online immediately.)

    Comment by Stephen X. — 6/8/2011 @ 12:57 pm

  12. Well, obviously, from the comments, there are several ways to clean this up. The Rogue DHCP Finder program was a little more proactive, though I essentially did it the way you did. The problem came in for me when I had to chase down 5 or 6 computers that were infected. Also, TDSSKiller worked really well for me to get the infection removed and I followed that up with a Malware Bytes scan, to get anything left behind.

    Thanks for the update, though! Always good to remember that there’s usually more than one way to do it!

    Comment by the Network Geek — 6/8/2011 @ 1:10 pm

  13. At my wits end..3 out of 4 laps tops have dns server that has been changed to 188.229.88.7..if i change tcp/ip to manual and put in 8.8.8.8 as my dns server i can get online if it is on auto a red box appears saying “page does not support your browser” and there is a button to press which says “update brower”..I know this is a virus and i have downloaded malware it deteched some viruses on one computer and none on the others and removed them and it still isn’t fixing the problem. Does anyone know how to get rid of this virus!

    Comment by jennifer — 6/23/2011 @ 10:43 pm

  14. @jennifer

    Follow the steps I’ve listed above and you should be able to remove.

    Not all machines are infected, unless you’ve clicked the link to “Update the Browser”. There should be one(but it could be more) machines that are infected at this time. That machine is giving out the bad DNS server information to your network, and once it is cleaned, you can simply reboot the other machines or run an Ipconfig /release and then /renew to get the correct IP information.

    To determine the infected host, go to any machine that is getting the rogue webpage(when the DNS isn’t manually set) and open a command prompt. Type “IPCONFIG /ALL” at the command prompt and note the “DHCP Server” listed. This IP is the machine that is infected and the source of your problem. To determine which machine is associated, just type “TRACERT $IPGoesHere$” which should give you the computer name. Find that machine and follow the instructions I posted above CAREFULLY and you will clean the infection. Reboot the machines other than the rogue DHCP server after you’re done cleaning and verify they don’t get the 188.x.x.x addresses for DNS entries any longer.

    Make sure you run a scan with MBAM(see above post for link) on each other machine as well(make sure you update the definitions in MBAM first) to ensure everything is clean.

    Take your time, good luck.

    Comment by Stephen X. — 6/24/2011 @ 10:07 am

  15. @Stephen – That’s pretty much what I told her, too, via e-mail. I sketched out the steps again and referred her back to the comments for the links. Haven’t heard back, so I’m hoping she’s gotten it cleaned up. Thanks for the follow up, though! I appreciate my commenters helping each other out!

    Comment by the Network Geek — 6/24/2011 @ 10:27 am

  16. Im not sure if my last post was received since i sent it from my phone and i don’t see it on here..but here is an update..i was working with someone from another message board for the past week on my problem and before i heard back from anyone on here i had started the instructions from him..so far this is what i have done.. i ran rkill on the computer that i think has started this whole problem..and then ran malewarebytes that detected a few viruses and removed them…still had the problem though..still had wrong dns server..just ran TFC and then superspyware, which found 1096 tracking cookies, 1 rouge MSE-fraud and a few other things that it removed…now i am waiting to hear back and see what to do. If this does not work i will try your instructions. Thank you so much..i will keep you posted..this is a mess..Also, wanted to add my son could not connect to x-box last night and checked his settings and it changed the dns server on his xbox..so this is really going through the whole wireless network.

    Comment by jennifer — 6/24/2011 @ 12:27 pm

  17. Nope, that last message came directly to me as a reply to the e-mail I sent you.
    Keep after it and when you get the infected machine cleaned, I’m pretty sure restarting your son’s Xbox will fix his problem.
    And, please, do let us know how it goes!

    Comment by the Network Geek — 6/24/2011 @ 1:08 pm

  18. I’m still having problems..hopefully someone here may be able to answer my question. This may be long so bear with me. The comp that i thought was causing this problem i ran rkill, malwarebytes..prob not fixed. Then i ran TFC cleaner and super anti spyware and it removed alot of viruses..then changed my dns setting back to auto and the computer got rid of the bad dns server and that computer seems fine on the auto dns setting..Computer 2..i ran rkill, maleware and superanti spyware, no viruses detected only adware, removed them, changed my dns setting to auto and still has the bad dns server number. I thought i had this fixed! Now i see on the above post here it says to find out which computer is giving this problem by the dhcp server? How would i determine this. I did notice that on my computer the dhcp server number does not match my default gateway and ip address and on the computer that i just fixed her ip, default gateway and dhcp number are the same. I just went to my son’s computer and it seems that his ip address is my dhcp number…so is his computer the one that is giving the problem? I hope i am not confusing and someone can help..
    thanks in advance

    Comment by jennifer — 6/25/2011 @ 8:27 am

  19. @Jennifer – Yes, it sounds like his computer is the one with the DNS redirect virus infection. Try running TDSS Killer against that machine, along with MalwareBytes and whatever else you’ve been using, and see if that clears up the problem.

    Comment by the Network Geek — 6/25/2011 @ 11:22 am

  20. Hi fellow professionals,

    Just a quick tip.
    A tool I found most helpful in my quest for determining the rogue DHCP server and thus the infected machine is by using the MS Rogue server detection tool. You can find it here:

    http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx

    Note that you need to assign a static IP to the machine you perform the scan on.
    The tool will list all DHCP servers on the network. In a corp domain it will show you the authorized DHCP servers. In smaller networks (like mine at home, it will show your router/dhcp server). Anything else will be ROGUE.

    I just determined my little culprit.
    I think I will radically reinstall windows. Might not be an option for everyone, but better safe than sorry.

    Comment by Hans — 6/25/2011 @ 12:52 pm

  21. @Hans – Yep, that’s the tool that’s mentioned earlier in the comments, though it wasn’t specifically described as a Microsoft tool, it is.
    Glad to have the confirmation that it’s still the most effective way to find the infected machine or machines, though! Thanks!

    Comment by the Network Geek — 6/25/2011 @ 2:13 pm

  22. Just want to thank you all for your help on this board…you all are great and got back to my replies so quick…i think i MAY be rid of my problem…i don’t want to speak too soon though. All computers 5 in total all seem to be working good and i also had verizon here today, made sure he didn’t leave until all computers were all connected to the internet on automatic dns setting and so far so good! I don’t want to get to excited yet..i was alittle nervous when one of the computers he was trying to connect had the red box pop up with the update button and i told him not to press it and he did and something popped from my antivirus..i would not be happy if this started all over..thanks again i will be back if i have anymore problems

    Comment by jennifer — 6/25/2011 @ 5:14 pm

  23. I spoke to soon..it is back! This is crazy..we were fine for two days and all of a sudden one lap top started with not connecting to the internet and the red box with the policeman appears and then i checked the dns server # and it changed back to the 188 number again..i’m not sure if i should call verizon back or bring computers to best buy geek squad..there is one computer that i still haven’t run all the virus scans on i will try that tomorrow i guess..any suggestions??!!

    Comment by jenn3 — 6/27/2011 @ 9:01 pm

  24. Yes, if there was *one* machine that wasn’t scanned, then it’s a good bet that it is the one with the problem. Scan it with everything you’ve got, but especially TDSS Killer. That’s most likely the infected machine and TDSS Killer cleaned it for me.
    Until then, you can take that one machine off the network and see if the problem corrects itself on the other machines. If so, then you can be almost certain that it is the problem machine.
    Good luck and let us know!

    Comment by the Network Geek — 6/27/2011 @ 9:16 pm

  25. How do i take the machine off the network? Do i just press disable for the wireless connection? This whole thing is so annoying. I cannot believe this thing came back! I will let you know when i run scans on the last computer what it comes up with.

    Comment by jennifer — 6/27/2011 @ 9:25 pm

  26. How do i take the computer off the network? Do i just disable the wireless connection? This whole thing is driving me nuts…i cannot believe i am going through it again..why would it go away and then come back two days later?

    Comment by jennifer — 6/27/2011 @ 9:27 pm

  27. Also, one other question..i noticed that my son’s computer’s ip address is my daughters dhcp address..does this mean that her computer is the one infected or his is? Just a thought or is it supposed to be like that?

    Comment by jennifer — 6/27/2011 @ 9:39 pm

  28. Yes, disable the network interface.
    Probably it came back when the computer was rebooted.

    Comment by the Network Geek — 6/27/2011 @ 10:26 pm

  29. Not sure which one is infected. Hard to tell based on what you’re describing. Have you tried the tool in this link?
    http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx

    That was recommended by several people in several comments as a way to find the infected computer. I would scan *all* of them, regardless, especially the ones that don’t seem to be infected.

    Comment by the Network Geek — 6/27/2011 @ 10:29 pm

  30. that tool was great…it came up with two one was my son’s and the other one i wasn’t positive about the numbers seemed to be my laptop but they weren’t exactly the same…but i did trail and error..as soon as i disabled my sons network the computers all worked fine and went back to their correct dns servers after i did release and renew…i did notice though, which is kind of puzzeling to me..when my computer is on all the computers are working fine as well..but when i run that tool it comes up with two computer names..but when i disable mine and my son’s it says none found. I am curious as to if my computer is giving the network a problem why would all computers work if mine wireless is enabled..but as soon as i enable my sons wireless the computers do not work and now the best part is i have no clue how to get rid of this virus..i have run every virus scan on these computers and did all the steps listed above and still having this problem.

    Comment by jennifer — 6/28/2011 @ 12:09 pm

  31. @Jennifer – I’m pretty sure it’s because your son’s machine is the one that’s actually infected. If you clean that one, I *think* your problem will go away completely. Try using the anti-virus/anti-malware programs that you’ve already used. Then, try TDSS Killer. You can download it here: http://support.kaspersky.com/faq/?qid=208283363
    If that *still* doesn’t clean it, I would think about backing up his data and restoring the computer to the factory default settings with a restore CD that, hopefully, shipped with the computer.

    Comment by the Network Geek — 6/28/2011 @ 1:03 pm

  32. i agree and think his is the one..i will try that as my last resort and then i agree i am going to wipe the computer out and start fresh…i have to say this is the most annoying virus..its bad enough when one computer gets a virus..but to have this effect all the computers in the house is crazy..i will post again later with an update..thanks so much

    Comment by jennifer — 6/28/2011 @ 1:13 pm

  33. i ran tdss killer on my son’s computer and it found something:
    rootkit.win32.tdss.td14
    anyone know what that is? Going to run it on mine now.

    Comment by jennifer — 6/28/2011 @ 1:56 pm

  34. @Jennifer – *That* is the virus, for sure! Yeah, probably best to run that on all your machines.

    Comment by the Network Geek — 6/28/2011 @ 2:01 pm

  35. woohooo…i can’t believe how that was hidden and it took so many scans to get rid of it!!! i will run scans on all other computers! I cannot thank you enough…you were so helpful 🙂 I’m keeping my fingers crossed that this is gone for good!

    Comment by jennifer — 6/28/2011 @ 2:05 pm

  36. Thanks to Stephen X and Network Geek for your tips in #11 and #31! We also had a major mess. I performed all the steps in #11, and ran TDSS Killer before TFC. After watching traffic while turning off/on the wifi on my mac laptop (sudo tcpdump -i en1 | grep DHCP), it looks like my desktop is no longer offering its fake DNS services. I also disabled autorun/autoplay on all of our machines.

    For them as are interested, this blog post exactly describes the behavior on my infected machine, and the links go into gory detail. http://www.securelist.com/en/blog/208188095/TDSS_loader_now_got_legs

    Thank you Jim, and thank you Stephen. I’m not an IT person, I just know how to ask the web what to do. Thanks for having an answer!

    Comment by Rachel — 6/29/2011 @ 12:15 am

  37. Once again i thought i was gone..but i am back. Today my son’s computer popped up with
    new problem today…xp antivirus 2012 popped up on my son’s computer..running a superantispyware scan and so far it has detected:

    2 system.brokenfileAssociation

    1 troganAgent/Gen

    3 Disabled SecurityCenter Option

    How could all these viruses appear in one day? Do you think i should have the computer wiped clean?

    Comment by jennifer — 6/29/2011 @ 4:51 pm

  38. @Jennifer – Sometimes, cleaning one virus reveals another that was being hidden by the first. Keep scanning until it comes back clean and you’ll get them eventually.
    Also? Now you know why security experts routinely get fees at $150+ per hour!

    Comment by the Network Geek — 6/29/2011 @ 5:07 pm

  39. Okay..will keep scanning! I think i’m going to start charging people after this lol…i am certainly turning into a pro on removing viruses! Will update again..and thank you again!

    Comment by jennifer — 6/29/2011 @ 6:07 pm

  40. At first, Microsoft was advising that people reformat their drives and do a clean install of Windows to fix some of these problems, as seen on this EWeek blog post. But they’ve since changed their direction on that and say that the standard methods for removing these kinds of boot-sector malware beasties should do it. Again, I cannot recommend TDSS Killer enough for this, as seen in previous comments.

    Comment by the Network Geek — 6/30/2011 @ 9:59 am

  41. I had this virus on one of my machines. I found that it was a root kit and it was loading from the MBR on a XP SP3 machine. I booted to the recovery console and fixmbr and fixboot. Booted back into windows and hit it with rkill and combofix. Finished up with malwarebyts ect. ipconfig /flushdns on all the other machines. Problem solved.

    Comment by cyberlife — 7/1/2011 @ 5:32 pm

  42. So far we have been okay..I just kept scanning and everytime i scanned a new virus came up..i then scanned in safemode and found some more and so far so good for the past few days..
    #41…just curious..what is booting to the recovery console and fixmbr and fixb boot.

    Comment by jennifer — 7/2/2011 @ 8:56 am

  43. @Jennifer – It’s pretty hard-core tech geek stuff.
    There’s a kind of add-on module for Windows that adds something called the Windows Recovery Console. It adds it as a boot option, sort of like Safe Mode, but different. It’s a way for support techs like me, and a significant portion of the people who read my blog, to get to a special command prompt that will let us run some repair functions, like “fixmbr” and “fixboot”. Fixmbr is a command that will recreate the Master Boot Record, or MBR. Fixboot repairs or replaces certain Windows files required to boot, or start, Windows on the PC. Those two things, the mbr and the system boot files, work together to load everything to make the PC usable. If you’re really interested, you can check out How Computers Work (9th Edition) (See all Computer & Internet Books). It’s a pretty good book for getting the basics of the tech behind stuff we do on these magic boxes all day!

    Comment by the Network Geek — 7/2/2011 @ 2:09 pm

  44. Block The IP Address 188.229.88.7

    Download BeeThink IP Blocker (Its Free) at http://www.beethink.com

    Install BeeThink (Reboot Will Be Required)

    Download this Blocker List http://www.freedrive.com/folder/308522

    Run BeeThink Select “Config IP List” in BeeThink, Import The List and Apply.

    Internet Should Be Restored Instantly

    Comment by MO — 7/21/2011 @ 8:33 pm

  45. I found the location of it
    Bucharest

    Comment by nickiman3 — 12/29/2011 @ 9:32 am

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.


Powered by WordPress
Any links to sites selling any reviewed item, including but not limited to Amazon, may be affiliate links which will pay me some tiny bit of money if used to purchase the item, but this site does no paid reviews and all opinions are my own.