having DNS problems with setting reset to 85.255.112.223 in the properteis of TCP/IP virus?

I am ahving probelems with the preferred DNS server in the TCP/IP properties being reset to use
85.255.112.223  instead of my interanl DSN server or using "obtain automatically"

I suspect that this may be a virus or trojan but have not found anything quick to fix it. We run Symantec Corp AV on server and workstatoins. It is only happening on 1 of the 5 workstations.

Thanks
to2007Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kuknoCommented:
be carefull! This DNS server resolves any domain (like www.google.com, www.microsoft.com) to an IP address, that is for sure the wrong one. Looks like an "advanced" phishing attack. I think it's best to either try some trojan cleaner tools,
or to re-install the PCs!

Regards
Kurt



0
kuknoCommented:
see also here: http://www.pchell.com/support/vista_update_error_80244019.shtml
The IP address is mentioned there together with the DNSChanger Trojan!

Regards
Kurt
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
to2007Author Commented:
thanks
0
originalbiffmalibuCommented:
The first thing to do is download the tools you will need to remove any malware from the system.  I would save it to a flashdrive because there is a recent virus out there that restricts the use of your CD drive.  Here is what to download:

Combofix (bleepingcomputer.com)
Smitfraudfix (search google)
superantispyware (superantispyware.com)
spybot search and destroy (safer-networking.org)
antivir  (free-av.com)

After the first screen that identifies your PC manufacturer and specs, windows will begin to load.  Before it loads, hit the F8 key repeatedly until you are presented with a boot menu.  You wish to boot to safe mode with networking.  This will allow you to update some of the software.  Windows installer doesn't work in safe mode so you can only run some of the software here.  Please install/run Combofix first.  When that has completed and while still in safe mode, install spybot S&D and update it.  Also run Smitfraudfix while in safe mode.  Smitfraud also offers a DNS hijack fix on its menu, run that as well.

Once those have all run successfully, you should be able to boot into windows the regular way and install anti-vir and superantispyware.  Update and run these as well.  After that, you should be clean, if not, let me know and I'll point you to further procedures.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.