Possible fix for Delude and or DNS Address changed to 69.57.146.14 or 216.127.92.38 by devious means

  • Thread starter Thread starter Kurtis
  • Start date Start date
K

Kurtis

Yesterday one of our PCs would not browse the Internet anymore. If
this happens to you take a close look at the TCP/IP config. We found
out that the entry for DNS had been changed to 216.127.92.38.

So, it looked like one of the Qhosts or Delude variants. I found no
reg files or exes left behind. The hosts file was in the correct
place for this W2K PC. (winnt\system32\drivers\etc) Actually, it
showed no signs of having a virus except that it could not browse the
Internet.

Our internal network/router guru had stopped all DNS requests unless
they came from his DNS servers. Which was why it could not browse the
Internet. Anyway I thinkk the DNS servers at 216.127.92.38 have been
taken out of commision.

Here is the fix, run regedit and look at this key,

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

Inside this branch there were three entries. They each had long names
and inside they had various TCP/IP info. The second one of the three
had a lot more entries inside than the others. This one had
216.127.92.38 placed inside the "NameServer" key. Just clear out that
216.127.92.38, leave "NameServer" empty and reboot.

Good Luck, and I hope this post helps. :)
 
I think that's a variant, or similar symptom. I saw a report of something
like that, just didn't hang on to it.
 
Keith W. McCammon said:
I think that's a variant, or similar symptom. I saw a report of something
like that, just didn't hang on to it.
Click to expand...


Yep, this one spooked me at first. I looked at the "ipconfig /all"
screen at least 5 times before I noticed that the DNS server was way
out of our normal Class B range. You look at these settings so many
times that your mind tends to see what it expects to see.
 
Back
Top