Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect


  • This topic is locked This topic is locked
12 replies to this topic

#1 Luckysam28

Luckysam28

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 07 June 2010 - 07:42 PM

Hello,

I am having the same problem as Ladybass in http://www.bleepingcomputer.com/forums/ind...=321625&st= . At random times my google links will be redirected to "http://results5.google.com/" instead of the requested site. I am running windows 7 32 bit

Attached are the dds scan files. I could not run gmer as it crashes every time i try to scan.

Any help will be greatly appreciated
Thank you,

~LuckySam28

Attached Files


Edited by Luckysam28, 07 June 2010 - 07:43 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:20 AM

Posted 10 June 2010 - 07:22 PM

Hi Luckysam28,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @ECHO OFF
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1500 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Right-click to run it as administrator.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  2. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#3 Luckysam28

Luckysam28
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 11 June 2010 - 04:05 AM

Hello, Farbar!

I greatly appreciate the time you've taken to help me. I will abide to your requests by not installing any extra software, or updating windows (i seem to not be able to willingly, anyway). As instructed, here are the contents of the mbr notepad file:

CODE
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
kernel: MBR read successfully
user & kernel MBR OK


As for the malwarebytes installation, I came across a problem while downloading the file. It seems that I cannot find the server to connect to and download the installer. Here is a screenshot of what I get:



The results are similar whilst trying to access malwarebytes.org. Luckily, I saved a copy of the malwarebytes installer on a flash drive the last time i tried to solve this problem (someone uploaded it as a mirror for me). This version is from December 2009, and unfortunately I cannot update it. Here are the results from this scan anyway:

CODE
Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/11/2010 5:05:22 AM
mbam-log-2010-06-11 (05-05-22).txt

Scan type: Quick Scan
Objects scanned: 99927
Time elapsed: 4 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.116 85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2d188859-b389-4281-abce-93fccef14cc7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.116 85.255.112.173 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:20 AM

Posted 11 June 2010 - 07:24 AM

  1. Make sure the following setting is set as it is supposed to be set:
    • Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection (usually Local Area Connection) and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP).
      Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".
    • Click OK twice to save the settings.

  2. Important: Reboot the computer.

  3. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @echo off
    >Log1.txt (
    ipconfig /all
    nslookup google.com
    nslookup yahoo.com
    ping -n 2 google.com
    ping -n 2 yahoo.com
    route print
    )
    start Log1.txt
    del %0

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select save in: desktop
    • Fill in File name: test.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click test.bat on the desktop.
    • A notepad opens, copy and paste the content it (log1.txt) to your reply.

  4. Now try to update Malwarebytes once more and scan the computer, let remove anything it found. No need for screenshots if you couldn't get to the update site.


#5 Luckysam28

Luckysam28
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 11 June 2010 - 10:14 AM

Alright, I went to my internet settings and the protocol was already set to automatically obtain IP and DNS server. Because of this, I did not restart my computer. I ran the script and here are my results:

CODE
Windows IP Configuration

   Host Name . . . . . . . . . . . . : Stephen-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
   Physical Address. . . . . . . . . : 00-13-E8-AF-3B-07
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::93c:228e:2539:bc65%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, June 11, 2010 10:52:24 AM
   Lease Expires . . . . . . . . . . : Saturday, June 12, 2010 5:08:05 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 218108904
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-8B-80-4E-00-1B-24-B5-2E-3A
   DNS Servers . . . . . . . . . . . : 85.255.116.116
                                       85.255.112.173
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-1B-24-B5-2E-3A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{2D188859-B389-4281-ABCE-93FCCEF14CC7}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e74:3447:242:3f57:fefa(Preferred)
   Link-local IPv6 Address . . . . . : fe80::3447:242:3f57:fefa%13(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  85.255.116.116.static.ukrtelegroup.com.ua
Address:  85.255.116.116

Name:    google.com
Address:  66.249.81.104

Server:  85.255.116.116.static.ukrtelegroup.com.ua
Address:  85.255.116.116

Name:    yahoo.com
Addresses:  98.137.149.56
      209.191.122.70
      67.195.160.76
      69.147.125.65
      72.30.2.43


Pinging google.com [66.249.81.104] with 32 bytes of data:
Reply from 66.249.81.104: bytes=32 time=84ms TTL=51
Reply from 66.249.81.104: bytes=32 time=147ms TTL=51

Ping statistics for 66.249.81.104:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 84ms, Maximum = 147ms, Average = 115ms

Pinging yahoo.com [69.147.125.65] with 32 bytes of data:
Reply from 69.147.125.65: bytes=32 time=167ms TTL=52
Reply from 69.147.125.65: bytes=32 time=88ms TTL=52

Ping statistics for 69.147.125.65:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 88ms, Maximum = 167ms, Average = 127ms
===========================================================================
Interface List
12...00 13 e8 af 3b 07 ......Intel(R) Wireless WiFi Link 4965AGN
11...00 1b 24 b5 2e 3a ......Broadcom NetLink (TM) Gigabit Ethernet
  1...........................Software Loopback Interface 1
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.5     30
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link       192.168.1.5    286
      192.168.1.5  255.255.255.255         On-link       192.168.1.5    286
    192.168.1.255  255.255.255.255         On-link       192.168.1.5    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.5    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.1.5    286
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
13     58 ::/0                     On-link
  1    306 ::1/128                  On-link
13     58 2001::/32                On-link
13    306 2001:0:4137:9e74:3447:242:3f57:fefa/128
                                    On-link
12    286 fe80::/64                On-link
13    306 fe80::/64                On-link
12    286 fe80::93c:228e:2539:bc65/128
                                    On-link
13    306 fe80::3447:242:3f57:fefa/128
                                    On-link
  1    306 ff00::/8                 On-link
13    306 ff00::/8                 On-link
12    286 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None


I also re-ran another quick scan of malwarebytes; here are the results:

CODE
Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/11/2010 11:08:49 AM
mbam-log-2010-06-11 (11-08-49).txt

Scan type: Quick Scan
Objects scanned: 99855
Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.116 85.255.112.173 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2d188859-b389-4281-abce-93fccef14cc7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.116 85.255.112.173 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:20 AM

Posted 11 June 2010 - 10:38 AM

If you like to go through trouble of making and posting screenshots I have no objection to that even though I don't need them. It makes the posts unneeded populated but I can live with that. LOL

Good news is that we found the infection. It is the router hijacking trojan DNS-changer.
  1. Please read this: Malware Silently Alters Wireless Router Settings

  2. Consult this link to find out what is the default username and password of your router and note down them: Router Passwords

  3. Then reset your router to it's factory default settings:

    QUOTE
    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)"


  4. This is the difficult part.
    First get to the routers server. To do that open Internet Explorer and type http:\\192.168.1.1 in the address bar and click Enter. You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.

  5. Now reboot once.

  6. Make and run test.bat once more and post the log.

  7. Also run a quick scan of Malwarebytes and post the result.





#7 Luckysam28

Luckysam28
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 12 June 2010 - 07:46 PM

While reading the article you posted, the following quote stuck out at me:

QUOTE
It's important to note, however, that if there are other Zlob-infected machines using the same router, they will need to be cleared of the trojan before resetting the router. Otherwise,the malware will simply go back and change the router's DNS settings a few minutes after the reboot, said Sunbelt's Sites.


This makes me worried because I have 2 other computers running on my network. I ran a Malwarebytes scan on one of them and found the same 2 dns trojans that popped up in the scan on my original computer. I could not run a scan for the other computer because for some reason the installer i have refused to run. For the purpose of this fix, I disconnected the two computers from the router prior to resetting it However, I still want to reconnect them back to the internet eventually for my family to use. I hope this does not ruin our efforts here to rid the dns trojan virus.

Going with the steps you posted, I successfully reset the router, went through a setup wizard on one computer, and set a good password for the login. I rebooted, and here are the logs you asked for:

test.bat log
CODE
Windows IP Configuration

   Host Name . . . . . . . . . . . . : Stephen-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
   Physical Address. . . . . . . . . : 00-13-E8-AF-3B-07
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-1B-24-B5-2E-3A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::508b:6ce3:ea76:947c%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, June 12, 2010 8:35:06 PM
   Lease Expires . . . . . . . . . . : Sunday, June 13, 2010 8:35:05 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 234887972
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-8B-80-4E-00-1B-24-B5-2E-3A
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{520CAD27-4170-47A4-9C5E-25CC6EEFF190}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:467:35c:3f57:fefd(Preferred)
   Link-local IPv6 Address . . . . . : fe80::467:35c:3f57:fefd%13(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{2D188859-B389-4281-ABCE-93FCCEF14CC7}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  192.168.1.1

Name:    google.com
Addresses:  74.125.67.99
      74.125.67.103
      74.125.67.104
      74.125.67.105
      74.125.67.106
      74.125.67.147

Server:  UnKnown
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  69.147.125.65
      72.30.2.43
      98.137.149.56
      209.191.122.70
      67.195.160.76


Pinging google.com [74.125.157.99] with 32 bytes of data:
Reply from 74.125.157.99: bytes=32 time=65ms TTL=53
Reply from 74.125.157.99: bytes=32 time=57ms TTL=53

Ping statistics for 74.125.157.99:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 57ms, Maximum = 65ms, Average = 61ms

Pinging yahoo.com [209.191.122.70] with 32 bytes of data:
Reply from 209.191.122.70: bytes=32 time=46ms TTL=54
Reply from 209.191.122.70: bytes=32 time=40ms TTL=54

Ping statistics for 209.191.122.70:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 40ms, Maximum = 46ms, Average = 43ms
===========================================================================
Interface List
12...00 13 e8 af 3b 07 ......Intel(R) Wireless WiFi Link 4965AGN
11...00 1b 24 b5 2e 3a ......Broadcom NetLink (TM) Gigabit Ethernet
  1...........................Software Loopback Interface 1
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.2     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link       192.168.1.2    276
      192.168.1.2  255.255.255.255         On-link       192.168.1.2    276
    192.168.1.255  255.255.255.255         On-link       192.168.1.2    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.2    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.1.2    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
13     58 ::/0                     On-link
  1    306 ::1/128                  On-link
13     58 2001::/32                On-link
13    306 2001:0:4137:9e76:467:35c:3f57:fefd/128
                                    On-link
11    276 fe80::/64                On-link
13    306 fe80::/64                On-link
13    306 fe80::467:35c:3f57:fefd/128
                                    On-link
11    276 fe80::508b:6ce3:ea76:947c/128
                                    On-link
  1    306 ff00::/8                 On-link
13    306 ff00::/8                 On-link
11    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None


mbam log:
CODE
Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/12/2010 8:41:51 PM
mbam-log-2010-06-12 (20-41-51).txt

Scan type: Quick Scan
Objects scanned: 100224
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:20 AM

Posted 13 June 2010 - 07:37 AM

For your information when the you reset the router to its factory default with procedure outlined and put a password on logon there is no way the Trojan can change it. But if the login password is left as default the trojan can come hijack the router again.

The router settings are as they should be now.

Both the other computer should be cleaned from malware. I don't recommend using them before cleaning. You may start a separate topic for each of them.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt





#9 Luckysam28

Luckysam28
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 13 June 2010 - 10:10 AM

Alright. I ran the scanner and no results came up. Here is the log:

CODE
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0b97a90ad8416b4f92a90680b6aa1834
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-13 02:49:36
# local_time=2010-06-13 10:49:36 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=5893 16776638 66 85 27965571 27979371 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=92877
# found=0
# cleaned=0
# scan_time=5997


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:20 AM

Posted 13 June 2010 - 10:21 AM

It looks good. thumbup2.gif
  1. You may delete any tool or log we used from your computer.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.


Recommendations:
  1. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  2. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.


Happy Surfing Luckysam28. smile.gif

#11 Luckysam28

Luckysam28
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 13 June 2010 - 10:32 AM

Alright. I ran the scanner and no results came up. Here is the log:

CODE
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0b97a90ad8416b4f92a90680b6aa1834
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-13 02:49:36
# local_time=2010-06-13 10:49:36 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=5893 16776638 66 85 27965571 27979371 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=92877
# found=0
# cleaned=0
# scan_time=5997


#12 Luckysam28

Luckysam28
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 13 June 2010 - 10:37 AM

Thank you so much, Farbar!
I greatly appreciate the time and effort you put into helping me out. I have learned a lot about my router and its settings thanks to your clear and precise walk-through to clean my system. It's very nice to have such generous help from a forum site!

Best regards,

Luckysam28

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:20 AM

Posted 13 June 2010 - 10:46 AM

You are most welcome Luckysam28. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users