From: "Glenn Meadows" 

The local DHCP server normally sets them, but this exploit changes the
setting in TCPIP from "Automatic" to Manual, and plugs in two dns
servers that when I did a trackdown on them, showed up as part of Inhoster
in the Ukraine.

Then, we watched carefully, and when he clicked on a link in Google, he was
redirected to a different address in the same subnet.  That's when we
discovered that his DNS servers had change entries.

Googled that whole browser hijack to that address, and got some threads at
MajorGeeks that pointed me to the way to detect/remove it.

I'm impressed with what they have to offer at Majorgeeks.com, but then, I'm
easily amused...HAHAHAHAHA.
--

Glenn M.
"Gary Britt"  wrote in message
news:44a04e58{at}w3.nls.net...
>I thought the router set the DNS servers to be used and not something on
>the local machine?
>
> Gary
>
> "Glenn Meadows"  wrote in message
> news:44a03ee4$1{at}w3.nls.net...
>> Found an attack that I've not been able to have any virus/spyware scan
>> detect, Wareout.  It re-directs web searches through a set of dns servers
>> in the Ukraine.
>>
>> The boss's laptop was doing that, and also, it manually changed his DNS
>> servers to 85.245.x.x, which started to restrict his access to some other
>> corporate B to B sites.
>>
>> Took some time to find the source of the problem, but the info at
>> Majorgeeks.com allowed me to clean the laptop in about 45 minutes.
>>
>> --
>>
>> Glenn M.
>>
>
>

--- BBBS/NT v4.01 Flag-5