The mysterious infection

What do we know about

1. It is some kind of a trojan or a similar malware (probably with an integrated rootkit) that changes default DNS servers (name servers) to certain IP addresses (they keep changing regularly).
2. It does not affect a web browser, would it be Microsoft Internet Explorer, Mozilla Firefox or Opera.
3. It seems to be a variant of a widely spread trojan used to illegally install some infamous corrupt anti-spyware programs. It can be a different parasite dropped by that trojan, though.
4. Usually, its signs do not appear in HijackThis logs. Sometimes we see malicious files related to the infection, but we still do not know which role they play.

It all started on Thursday, November 30. We have received a few reports naming earlier, but the sender never replied, so we didn’t think it was a brand new infection.

Starting from Thursday, our forum is rushed by hijack victims looking for removal instructions. Our spyware removal expert GTO works hard helping them to stop redirects to the malicious site as well as several other suspicious web sites.

Most our visitors received help already. However, we still aren’t sure what exactly the threat is, as we still don’t have any of our test systems infected. However, we already provide manual instructions on how to stop redirects until an automatic removal tool or a workaround of some kind will be available.

Basic Removal Instructions (use at your own risk):

1. Download the FixWareout tool. Install and run it. Restart your computer if FixWareout asks you to.

2. Press Start and click on the Run… option. This will open the Run tool. Type in cmd and press enter. Now the Command Prompt window should appear. Type in the command ipconfig /flushdns and press enter.

3. Open the Control Panel, double-click on the Network Connections icon and launch the Local Area Connection tool. Click Properties. Double-click on the Internet Protocol (TCP/IP) entry. Select the Obtain DNS server automatically option or enter addresses of your Internet service provider’s default DNS servers manually. Apply changes.

If this doesn’t help, please feel free to use our forums. Download the HijackThis program, run a scan and post your log here. You will have to register first.

In a few days we will publish the detailed Removal Guide, unless no working solution will be found.

Your opinion regarding The mysterious infection

Like us on Facebook