DNSChanger is a trojan that will change the infected system’s Domain Name Server (DNS) settings, in order to divert traffic to unsolicited, and potentially illegal sites. This Trojan is designed to change the ‘NameServer’ Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. The FBI under a court order expiring July 9 the Internet Systems Consortium is operating replacement DNS servers for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines. July 9th is being called Internet Dooms Day. The FBI set up a safety net months ago using government computers, but that system will shut down July 9. At that point, infected users won’t be able to connect to the Internet. The Trojan can be removed Manual Removal Instructions: 1. Navigate to the following paths in the registry. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters “DhcpNameServer” HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfaces%Random CLSID% “DhcpNameServer” HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfaces%Random CLSID% “NameServer” HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfaces%Random CLSID% “DhcpNameServer” 2. Look for unknown IP Addresses in the Data part. Change them into IP addresses for your DNS Servers.
Had a big DNS problem today and this article really helped me out very detailed and easy to understand. I have worked with DHCP and DNS in the past never realized how many setting and options there really were to set. Was interesting you would ping a PC by name and would come back with the wrong IP. The problem ended up being a combination of short DHCP leases with a long aging and scavenging time set in DNS. http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1040355,00.html