Most of them we can use Malwarebytes in Windows regular mode to remove infections but if there is rootkit and Malwarebyte report can't run, then you will need to use Avenger to remove the rootkit first. Someone in ResNet listed posted this and, we have to used Avenger so far once. We even has a PS3 got an rogue dns address, so some are just victims happen to be requesting IP and got the rouge ip but no infections.
http://swandog46.geekstogo.com/avenger2/doc.html -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Ryan Maes Sent: Monday, April 06, 2009 3:20 PM To: [email protected] Subject: Re: [Rogue Client] Something to check: Recently the CCA error 12007 (rouge client) was plaguing our network due to a new variant of a DNS hijack that would respond to DHCP requests with false DNS information. We ran dhcploc.exe on a computer in our student network to find the rouge DCHP servers. Sure enough, all of the rouge DHCP servers found were infected PCs. Since the variant was so new Malwarebytes in safe mode was the only cure we could find. -Ryan >>> Mike Diggins <[email protected]> 4/6/2009 2:39 PM >>> These Rogue client issues seem to have coincided with changing to the WUA checks. They stop when I reverted back to the Cisco Checks. -Mike On Sat, 4 Apr 2009, Mike Diggins wrote: > While I was poking around, I happened to notice a few users with FAILED > checks and [Rogue Client] appended to their username. Subsequent logins show > success. Can I safely assume these individuals are trying to use some other > means to gain access through CA? I don't want to disable their id if there > could be some other explanation. > > xxxxalaz[Rogue Client] > xxxxerj[Rogue Client] > xxxxahj[Rogue Client] > xxxxomk[Rogue Client] > xxxxej2[Rogue Client] >
