Jump to content

DNS_Unlocker reinfection cure

Recommended Posts

Hi there


I managed to get infected with DNS_Unlocker, so I updated MBAM and got to work. Problem cured.


Except it wasn't.


A few days later (without installing anything new) the notifications were back and I did another MBAM scan to get rid of it and the associated nasties. A new scan on reboot showed my system was clean.


Except it wasn't.


A few days later it was back. After cleaning yet again I took to reading around the net suggested I should turn on rootkit checking in MBAM. (I didn't know you had to switch this on - why is it not default?). But problem... it couldn't install that module.


So I guessed I probably had a rootkit.


Saw you had a Beta of MBAR and so downloaded and ran that. Six more nasties found that were presumably reseeding my system with DNS_Unlocker every day or two.


So my question is... why do no help guides for DNS_Unlocker mention the likelihood of rootkits when a system is being continually reinfected?


I'll report back if DNS_Unlocker comes back, but hopefully this might help somebody else (and you?) in the meantime.

Link to post
Share on other sites

Hi milestone and welcome to the MBAM forums :)


DNS Unlocker does not use a rootkit persay however it recently modified to include a new component that we can only target with our rootkit specific tech (eg MBAM with RK scanning enabled) or MBAR scan.


We will get our guides updated shortly to reflect this new change, thank you!


The scan for Rootkits is defaultly diasbled in the main engine as it does add extra time to the overall scantime and when it was enabled.


If you require further comfirmation and assurance that the problem has been fixed for you then please post a new topic to the following forum (with a link back to this topic) and one of the experts there will assist from there :)



Link to post
Share on other sites

No more reinfection yet, but one little thing that I found that MBAM can't really touch but could just go in the Help document...


The nasty adds a URL into the target property of any browser shortcuts it finds. This means resetting a home page URL within the browser doesn't stop a first start up from a shortcut from bringing up an unwanted (and potentially lethal) site.


I manually edited my Firefox and Safari shortcuts before thinking to post here, but here is the IE target from the File Properties in full:

"C:\Program Files\Internet Explorer\iexplore.exe" http://www%2dsearching.com/?prd=set_epc&s=G1Vzbwybl01,618f4baf-f4bc-43b2-ba86-7762bd101b11,

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.