It's not hooking DNS, that's the interesting thing. Direct NSLOOKUP queries work fine, only the appropriate local servers are listed. Somehow it's actually redirecting the traffic itself, probably through a hidden driver.
Ah well - off to the nuke pile with it. -- Durf On Thu, Aug 14, 2008 at 2:49 PM, Erik Goldoff <[EMAIL PROTECTED]> wrote: > I think that's a variant of winfixer .... verify via IPCONFIG -all that > ONLY your preferred DNS is in play... and I'd boot from a secondary > instance of the OS (or a boot CD) and *then* scan for malware and rootkits > > ------------------------------ > *From:* Durf [mailto:[EMAIL PROTECTED] > *Sent:* Thursday, August 14, 2008 2:26 PM > *To:* NT System Admin Issues > *Subject:* "Vista Antivirus 2008" malware removal > > Hey guys; > > I was called in to look over another tech's customer who had a system where > they had (mostly) removed the "Vista Antivirus 2008" fake AV malware. The > only issue still remaining was what we thought at first was a simple browser > redirection issue - visting a huge number of security-related sites resulted > in a 404. > > Well, it wasn't a BHO, and it wasn't a redirect, and it's not a HOSTS > file. It's something screwed in the TCP/IP stack. NSLOOKUP returns the > proper DNS result for a site, but when you send any traffic to it at all - > ping, let's say - it's redirected to localhost. > > Anyone seen this before and fixed it by means other than burning down the > system, which is what I'm going to recommend otherwise? > > -- Durf > > -- > -------------- > Give a man a fish, and he'll eat for a day. > Give a fish a man, and he'll eat for weeks! > > > > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.138 / Virus Database: 270.6.3/1611 - Release Date: 8/14/2008 > 6:20 AM > > > > > > -- -------------- Give a man a fish, and he'll eat for a day. Give a fish a man, and he'll eat for weeks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
