6 replies to this topic

[MaB69]

Hi,

Fast scan gives 3 detections :

Quote

Malwarebytes' Anti-Malware 1.11
Version de la base de données: 625

Type de recherche: Examen rapide
Eléments examinés: 30272
Temps écoulé: 3 minute(s), 1 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 3
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F7D99B22-E56C-4EA1-91EF-463493EB4822}\NameServer (Trojan.DNSChanger) -> Data: 208.67.222.222,208.67.202.202 -> No action taken. [ScanForBadDNSServers() Function]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F7D99B22-E56C-4EA1-91EF-463493EB4822}\NameServer (Trojan.DNSChanger) -> Data: 208.67.222.222,208.67.202.202 -> No action taken. [ScanForBadDNSServers() Function]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{F7D99B22-E56C-4EA1-91EF-463493EB4822}\NameServer (Trojan.DNSChanger) -> Data: 208.67.222.222,208.67.202.202 -> No action taken. [ScanForBadDNSServers() Function]

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)

I wish that a DNSChanger really hijack a DNS conf to use OpenDNS

Regards,

MaB

[nosirrah]

fixing

[nosirrah]

Should be fixed .

I added them to begin with because malware did hijack to this .

A few HJT helpers were removing them so I added them .

[MaB69]

nosirrah, on Apr 14 2008, 10:12 PM, said:

Should be fixed .

I added them to begin with because malware did hijack to this .

A few HJT helpers were removing them so I added them .

Hi Bruce,

Fixed using db 629

Sorry, i did not understand what you mean ? IP in the same range are used to hijack DNS servers ?

Thanks

Regards,

MaB

[gerardwil]

Hi MaB,

Shouldn't the second server be: 208.67.220.220?

Gerard

[nosirrah]

MaB69, on Apr 14 2008, 06:01 PM, said:

Hi Bruce,

Fixed using db 629

Sorry, i did not understand what you mean ? IP in the same range are used to hijack DNS servers ?

Thanks

Regards,

MaB

In HJT speak , these were the 017s HJT had listed after the malware installed .

I did find a few HJT experts removing them so I added them to the DNS hijack defs .

This seems to be a case where something nonmalicious was misused .

[MaB69]

Hi,

Thank you Gerard and Bruce,

MBAM shows me that i badly set my secondary DNS server

Never paid attention to this

Regards,

MaB