Malware changing DNS to 81.218.119.15 and 199.203.35.75

Cleaned a computer today that had many bits of malware. One of the bits of junk had changed the DNS entries on the Windows 7 computer to:

81.218.119.15 (“bzq-218-119-15.red.bezeqint.net”)

inetnum: 81.218.0.0 – 81.218.255.255
org: ORG-IL9-RIPE
admin-c: BNT1-RIPE
netname: IL-BEZEQ-INTERNATIONAL-20021018
descr: Bezeq International-Ltd
country: IL
tech-c: BHT2-RIPE
status: ALLOCATED PA
remarks: please send ABUSE complains only to abuse@bezeqint.net
mnt-by: RIPE-NCC-HM-MNT

and
199.203.35.75 (no RDNS)

Net Range 199.203.32.0 – 199.203.37.255
CIDR 199.203.36.0/23
199.203.32.0/22
Name NV-YEDIOTH
Handle NET-199-203-32-0-1
Parent ELRON-C-BLK1 (NET-199-203-0-0-1)

Seems to redirect and inject their own code into requests for Google Analytics.

They had also done something to the winsock and IP settings on the system to prevent any other DNS server being used. This was resolved by:

netsh interface ip reset
netsh winsock reset

Running Hitman pro would also have solved the problem.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s