Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

microsoft redirect


  • This topic is locked This topic is locked
7 replies to this topic

#1 craven667

craven667

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 31 May 2009 - 05:23 PM

http://www.bleepingcomputer.com/forums/t/194759/windows-update-redirects-to-google/

tryed that word for word
i have reformated 2 times and did a rewirte to 0's and still redirecting to google
now i was under the impression that if i wote the drive to zero's all is gone even the deepest virus and it still bleeping there

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:48 PM

Posted 31 May 2009 - 05:39 PM

Hi craven667,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

I might have an idea about what is going on. If my suspicion is correct reformatting doesn't work. First I need some confirmation.
  • Click here to download HijackThis Installer.
    • Save HJTInstall.exe to your Desktop.
    • Double click on the HJTInstall.exe icon to start the installation.
    • When a window pops up asking you the directory to install the program please accept the proposed default directory.
    • The program will automatically place a shortcut on your desktop and if further use of the program is required, you can click on the shortcut to run the program.
    • Please run Hijackthis. Click Do a system scan and save a logfile then copy and paste the content of the log to your reply.
    Note: If you could not run Hijackthis rename it to moon.exe and run it.

  • Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt& del log.txt

    A command window opens. Wait until a log.txt file opens. Please post the content to your reply.


#3 craven667

craven667
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 31 May 2009 - 06:43 PM

i do have a magicjack phone line but this happend after i had that
was told that it can be seen as spyware


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:41 PM, on 5/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\nancy\Application Data\mjusbsp\st00000\mjsetup.exe
C:\Documents and Settings\nancy\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\nancy\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3923 bytes

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:48 PM

Posted 31 May 2009 - 06:49 PM

I'm still waiting for the second log. :thumbup2:

#5 craven667

craven667
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 31 May 2009 - 06:53 PM

hope this is it

Windows IP Configuration



Host Name . . . . . . . . . . . . : laptop

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : tampabay.rr.com



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : tampabay.rr.com

Description . . . . . . . . . . . : Intel® PRO/Wireless 2200BG Network Connection

Physical Address. . . . . . . . . : 00-16-6F-2F-9F-9B

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.103

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.2

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 93.188.161.105

93.188.166.105

1.2.3.4

Lease Obtained. . . . . . . . . . : Sunday, May 31, 2009 7:39:18 PM

Lease Expires . . . . . . . . . . : Monday, June 01, 2009 7:39:18 PM

Server: 93.188.161.105.static.ukrtelegroup.com.ua
Address: 93.188.161.105

Name: google.com
Addresses: 74.125.67.100, 74.125.45.100, 209.85.171.100



Pinging google.com [74.125.67.100] with 32 bytes of data:



Reply from 74.125.67.100: bytes=32 time=73ms TTL=52

Reply from 74.125.67.100: bytes=32 time=73ms TTL=52



Ping statistics for 74.125.67.100:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 73ms, Maximum = 73ms, Average = 73ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 16 6f 2f 9f 9b ...... Intel® PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.104 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.104 192.168.1.104 25
192.168.1.104 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.104 192.168.1.104 25
224.0.0.0 240.0.0.0 192.168.1.104 192.168.1.104 25
255.255.255.255 255.255.255.255 192.168.1.104 192.168.1.104 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:48 PM

Posted 31 May 2009 - 07:04 PM

Yes that is all I wanted to see. The Hijackthis log didn't show that and there is a good reason for that.

And yes, it is the router hijacking trojan DNS-changer. You could have reformatted as many times as you wanted without getting out of trouble. After doing the following steps, when updating Windows, disable your antivirus when you install Service Pack 3.

  • Please read this: Malware Silently Alters Wireless Router Settings

  • Consult this link to find out what is the default username and password of your router and note down them: Route Passwords

  • Then rest your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)"


  • This is the difficult part.
    First get to the routers server. To do that type http:\\192.168.1.1 in the address bar and click Enter (in case this didn't get you the page, it should, try http:\\192.168.1.2). You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP have initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.

    If after this to make sure the DNS setting on the computer is right, proceed with the following.

  • Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP) under General tab:
    • Check Obtain an IP address automatically and Obtain DNS server address automatically.
    • Click OK twice to save the settings.
    • Reboot.
  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Now start with downloading and installing Windows updates.


#7 craven667

craven667
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 31 May 2009 - 07:17 PM

yup was the router i have internet from a next dont know if they know luck i know how to get in router and defaut pass lol but thats it thank you
so you helped me and the owner of the router lol

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:48 PM

Posted 31 May 2009 - 07:36 PM

You are welcome.

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users