R
Raaz
DNS address for the vpn client changes to 69.57.146.14
suddenly...
later on findings in the registry this is what happens
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Dat
aBasePath which should point at %Systemroot%\system32
\drivers\etc is now pointing towards %Systemroot%\help
which contains host file which is redirecting to the
following addresses
88.88.88.88 elite
207.44.194.56 www.google.akadns.net
207.44.194.56 www.google.com
207.44.194.56 google.com
207.44.194.56 www.altavista.com
207.44.194.56 altavista.com
207.44.194.56 search.yahoo.com
207.44.194.56 uk.search.yahoo.com
207.44.194.56 ca.search.yahoo.com
207.44.194.56 jp.search.yahoo.com
207.44.194.56 au.search.yahoo.com
207.44.194.56 alltheweb.com
207.44.194.56 web.ask.com
207.44.194.56 ask.com
207.44.194.56 www.ask.com
207.44.194.56 www.teoma.com
207.44.194.56 search.aol.com
207.44.194.56 www.looksmart.com
207.44.194.56 auto.search.msn.com
207.44.194.56 search.msn.com
207.44.194.56 ca.search.msn.com
207.44.194.56 google.com.sg
207.44.194.56 www.hotbot.com
207.44.194.56 hotbot.com
10/01/03 17:03:12 dig 207.44.194.56 @ 10.10.10.1
Dig 56.194.44.207.in-addr.arpa-at-10.10.10.1 ...
Authoritative Answer
Recursive queries supported by this server
Authoritative answer: Host doesn't exist
Query for 56.194.44.207.in-addr.arpa type=255 class=1
194.44.207.in-addr.arpa SOA (Zone of Authority)
Primary NS: ns1.ev1.net
Responsible person: admin-at-ev1.net
serial:1063803342
refresh:3600s (60 minutes)
retry:1800s (30 minutes)
expire:604800s (7 days)
minimum-ttl:7200s (2 hours)
Also check this reg keys
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
\Parameters\Interfaces\windows]
"r0x"="your s0x"
"NameServer"="69.57.146.14"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
\Parameters\Interfaces\{45F95E82-B443-428B-9E B7-
4C65CDCD1000}]
"T2"=dword:3e057410
"LeaseTerminatesTime"=dword:3e067130
"LeaseObtainedTime"=dword:3dfe8830
"T1"=dword:3e027cb0
"NameServer"="69.57.146.14"
Changing the local machine's config in the network control
panel appears to reset the entire
hklm\system\ccs\services\parameters\intefaces key,
removing this "r0x" entry.
block following traffic too
207.44.194.56
69.57.146.14
69.57.146.175
this should help !!! ???
seems to be some kind of worm / backdoor or transparent
program running in background / spy wares ????
any ideas / clues please do reply
thanks
suddenly...
later on findings in the registry this is what happens
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Dat
aBasePath which should point at %Systemroot%\system32
\drivers\etc is now pointing towards %Systemroot%\help
which contains host file which is redirecting to the
following addresses
88.88.88.88 elite
207.44.194.56 www.google.akadns.net
207.44.194.56 www.google.com
207.44.194.56 google.com
207.44.194.56 www.altavista.com
207.44.194.56 altavista.com
207.44.194.56 search.yahoo.com
207.44.194.56 uk.search.yahoo.com
207.44.194.56 ca.search.yahoo.com
207.44.194.56 jp.search.yahoo.com
207.44.194.56 au.search.yahoo.com
207.44.194.56 alltheweb.com
207.44.194.56 web.ask.com
207.44.194.56 ask.com
207.44.194.56 www.ask.com
207.44.194.56 www.teoma.com
207.44.194.56 search.aol.com
207.44.194.56 www.looksmart.com
207.44.194.56 auto.search.msn.com
207.44.194.56 search.msn.com
207.44.194.56 ca.search.msn.com
207.44.194.56 google.com.sg
207.44.194.56 www.hotbot.com
207.44.194.56 hotbot.com
10/01/03 17:03:12 dig 207.44.194.56 @ 10.10.10.1
Dig 56.194.44.207.in-addr.arpa-at-10.10.10.1 ...
Authoritative Answer
Recursive queries supported by this server
Authoritative answer: Host doesn't exist
Query for 56.194.44.207.in-addr.arpa type=255 class=1
194.44.207.in-addr.arpa SOA (Zone of Authority)
Primary NS: ns1.ev1.net
Responsible person: admin-at-ev1.net
serial:1063803342
refresh:3600s (60 minutes)
retry:1800s (30 minutes)
expire:604800s (7 days)
minimum-ttl:7200s (2 hours)
Also check this reg keys
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
\Parameters\Interfaces\windows]
"r0x"="your s0x"
"NameServer"="69.57.146.14"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
\Parameters\Interfaces\{45F95E82-B443-428B-9E B7-
4C65CDCD1000}]
"T2"=dword:3e057410
"LeaseTerminatesTime"=dword:3e067130
"LeaseObtainedTime"=dword:3dfe8830
"T1"=dword:3e027cb0
"NameServer"="69.57.146.14"
Changing the local machine's config in the network control
panel appears to reset the entire
hklm\system\ccs\services\parameters\intefaces key,
removing this "r0x" entry.
block following traffic too
207.44.194.56
69.57.146.14
69.57.146.175
this should help !!! ???
seems to be some kind of worm / backdoor or transparent
program running in background / spy wares ????
any ideas / clues please do reply
thanks