Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IP address hijack


  • Please log in to reply
18 replies to this topic

#1 Shawnee2

Shawnee2

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 09 August 2011 - 09:58 PM

Referred from here: http://www.bleepingcomputer.com/forums/topic413280.html ~ OB

I have worked the last couple of days with Broni concerning an issue that has my computer really slow once I click on an icon. Ran several utilities and everything looked clean except he stated that my IP address appeared to have been hijack by someone in the Ukraine. I am not sure how to post a link to the thread but it is "Slow start-up, excessive CPU usage" under the 'Am I Infected' section. It will show the IP addresses of concern (I attached the log from the MiniToolBox results). He suggested flushing the DNS and resetting the modum.

I worked with my providor and we did flushed and reset the system and it did not appear to be any better. I was running through a wireless router at the time so I decided to see what happened if I disabled the wireless and straight wired the laptop. Once I restarted everything, I did not have the speed problem anymore running wired. Reran MiniToolBox and the suspect IP addresses were no longer present. Connected the wireless again and MBAM blocked an out going attempt to 221.192.199.49. I also suddenly started getting some attacks from 58.218.199.227. Every time I try to connect through the wireless I start getting hammered with attacks.

So that's where I am right now. Everything works great running wired. Slow going wireless (Cisco router). I have attached the two DDS files. When I try to run the GMER, it locks up ever time at the same location (I wrote it down if you need it). I had the same issue with Broni and he had me run RootKit Unhooker. Let me know what you need next and thanks for the help.

Attached Files


Edited by Orange Blossom, 09 August 2011 - 10:34 PM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:29 AM

Posted 11 August 2011 - 05:18 PM

I didnt look at the previous link. What comes to mind: Have you checked the DNS settings in your router or set it back to its defaults? When your wireless your going through your router which must have the "bad" DNS settings hard coded in it. hence the re-direction. Wired, no problem, no router.
Setting it back to its defaults will mean you will have to put back in any changes you made.

How Can I Reduce My Risk to Malware?


#3 Shawnee2

Shawnee2
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 11 August 2011 - 06:40 PM

Have not tried to reset the router configeration but probabaly need to try that next. Did just notice that MBAM just blocked the same site (running wired) as incoming as it was blocking outgoing when I was wireless. Something has got to be triggering it from my computer.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:29 AM

Posted 11 August 2011 - 08:38 PM

reset the router
the router vendors website will have directions. If it fixes the problem I would download and install the latest firmware also from the vendor.

blocked the same site (running wired) as incoming
this is because they know your ip now and are probably doing some exploration (ie: port scanning)

as it was blocking outgoing
malware is pinging the web site and yes I would say because of this you have malware on your machine.

Lets see what combofix can dig up. there is a guide to read first. Read through the guide then apply the directions on your own machine. Please post the log. I wont be back online for 16-18 hrs.

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#5 Shawnee2

Shawnee2
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 11 August 2011 - 09:33 PM

Attached is the ComboFix scan. I will try the reset of the router and see what happens.

Attached Files



#6 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:29 AM

Posted 12 August 2011 - 04:10 PM

dont see a whole lot in the combofix log. Try the router reset and see how it goes. You will have to put back in any changes you had made, like a new password, DNS settings etc. The vendor website should have good information about doing a reset back to factory defaults.

How Can I Reduce My Risk to Malware?


#7 Shawnee2

Shawnee2
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 12 August 2011 - 07:34 PM

Did the reset on the router and then tried to configure all the settings and the computer just sits and churns with no action taking place. Disconnect from the router, run wired and everything is fine as before. I did try to run through the router wired (wired from modum to wireless router and then wired to computer)and have the same issue with it. Takes about ten minutes to load up either Outlook or my home page.

I am about to wipe the computer clean and get a new router and see what happens from there. Any other advice before I get desperate and go this route?

#8 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:29 AM

Posted 12 August 2011 - 08:10 PM

So the router reset made things worse it seems? Trying to diagnose problems via a forum can be a slow process with all the guessing. Reformatting and reinstalling Windows would take care of any potential malware problems that could be on your machine. Its up to you. In some cases it may be quicker actually. My advice would be to visit the routers website for FAQ/guides etc first. The router reset shouldnt have made things worse as far as accessing the internet goes. Really depends on how much time you want to spend on it i guess.

How Can I Reduce My Risk to Malware?


#9 Shawnee2

Shawnee2
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 12 August 2011 - 08:35 PM

Seems as though it is worse. I know I can clean the malware by reformatting. I am just concerned that it could return somehow through the router. Would this be possible? I am headed out of town for a few days so it might be awhile before I get back to you.

#10 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:29 AM

Posted 13 August 2011 - 01:41 PM

Yes reformatting would remove malware on your machine. I assume you rebooted everything after the reset, the router, modem and computer? you can also apply the latest firware version from the vendor if there is one. this should make the router as good as new.

How Can I Reduce My Risk to Malware?


#11 Shawnee2

Shawnee2
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 16 August 2011 - 09:11 AM

Back from vacation now. I will try to update the firmware on the router this evening when I get home. Is there anything else to try on the laptop side before I reformat? This is a last resort I know, so if there is something else I am willing to give it a try.

#12 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:29 AM

Posted 17 August 2011 - 05:53 PM

For the computer there are two places i can think of where a dns setting could be hard coded, one is in the TCP\IP properties set up, the other in the registry. Iam in linux right now. Next time Iam in Windows I will post back with directions to check them, unless you have reformatted by now that is.

How Can I Reduce My Risk to Malware?


#13 Shawnee2

Shawnee2
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 18 August 2011 - 04:43 PM

Let me know what you find out. I still have not reformatted but thinking of doing this weekend if I can not get this straightened out.

#14 Shawnee2

Shawnee2
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 18 August 2011 - 07:14 PM

Went to another wireless connection and ran the MiniToolBox. Did not see the issue with the hijack IP address. I have attached the file. Once I get back to the house and run MTB theIP addresses return.

Attached Files


Edited by Shawnee2, 18 August 2011 - 08:23 PM.


#15 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:29 AM

Posted 20 August 2011 - 02:38 PM

another wireless connection

This makes me think that it is your router providing the malicious DNS. After resetting the router you should check to see if there is a firmware update you can download and apply from the vendor. Whats the make model of your router?

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users