Malicious Attack... Windows registry??

opers13opers13 Member Posts: 100
in Off-Topic
Hi all,

yesterday I ran into an interesting issue with around 100 PCs in my network.

PCs could access all internal resources, however they could not browse to external sites at all. To make a long story short....we called Microsoft and found out that the registry parameters for TCP/IP were changed...the TTL value was set to 10.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL"=dword:0000000a(10)


After deleting this key and rebooting the PCs problem solved. Microsoft Tier3 never seem this before(according to the tech).

Anyway seem this before? Tx
· Share on FacebookShare on Twitter

Comments

  • KaminskyKaminsky Member Posts: 1,235
    Either you got a sh*t hot knowledable virus writer or you have a new boy configuring the PCs.

    Put my money on rogue netcard driver installation software.


    How the hell did they diagnose HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL"=dword:0000000a(10)
    Kam.
    · Share on FacebookShare on Twitter
  • opers13opers13 Member Posts: 100
    Kaminsky wrote:
    Either you got a sh*t hot knowledable virus writer or you have a new boy configuring the PCs.

    Put my money on rogue netcard driver installation software.


    How the hell did they diagnose HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL"=dword:0000000a(10)

    We have scanned the PCs with McAfee, Symantec and Trend...no virus. We use SMS and nothing got pushed to the PCs.

    What do you mean by "rogue netcard driver installation software"????

    Microsoft compared the bad tcp/ip and dhcp registry keys to working keys.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.