[ Done ] Can't navigate to Windows Update - MSN.com instead

  • 21 Replies
  • 7803 Views
*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [ In Progress ] Can't navigate to Windows Update - MSN.com instead
« Reply #15 on: November 24, 2008, 08:43:34 AM »
Malwarebytes' Anti-Malware 1.30
Database version: 1406
Windows 5.1.2600 Service Pack 3

11/24/2008 8:29:11 AM
mbam-log-2008-11-24 (08-29-11).txt

Scan type: Quick Scan
Objects scanned: 55379
Time elapsed: 5 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.224 85.255.112.64 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7c22555c-8d5b-443f-b954-970a36260fdf}\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.224 85.255.112.64 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.224 85.255.112.64 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7c22555c-8d5b-443f-b954-970a36260fdf}\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.224 85.255.112.64 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.224 85.255.112.64 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7c22555c-8d5b-443f-b954-970a36260fdf}\DhcpNameServer (Trojan.DNSChanger) -> Data: 0.255.112.224 85.255.112.64 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

bte52

We are seeing a number of these and they are reloading from the router.
This is what I want you to do.
1. Disconnect this PC from the router (isolate it) if its wireless turn off the wireless connection. If it's physically connected by cable, unplug it.

2. Rerun MBAM

3. Reboot your PC ->> Rerun MABM and see if the scan comes up clean the second time (while still disconnected).

Reply with the reulsts

2008-2010
Rights cannot exist without morals

*

Offline bte52

  • Bronze Member
  • 13
Re: [ In Progress ] Can't navigate to Windows Update - MSN.com instead
« Reply #16 on: November 24, 2008, 09:21:02 AM »
Here is a log of the scan with the network cable disconnected from the NIC. Appears to be all clean so the router must have something to do with it but I am confused  because another PC across the room here is not having this problem.

Ed


Malwarebytes' Anti-Malware 1.30
Database version: 1406
Windows 5.1.2600 Service Pack 3

11/24/2008 10:16:07 AM
mbam-log-2008-11-24 (10-16-07).txt

Scan type: Quick Scan
Objects scanned: 56405
Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [ In Progress ] Can't navigate to Windows Update - MSN.com instead
« Reply #17 on: November 24, 2008, 09:24:56 AM »
bte52

The router will have to be reset. A hard reset (using the reset button). If you have an IT person there get them to do it.
It reloads the DNS hijack by IP address. That is why your's is singled out. Before long other PC's on your network will get infected.

When you have done so please reply.

2008-2010
Rights cannot exist without morals

*

Offline bte52

  • Bronze Member
  • 13
Re: [ In Progress ] Can't navigate to Windows Update - MSN.com instead
« Reply #18 on: November 24, 2008, 10:05:28 AM »
We reset the router and I am now able to navigate to Windows Update. Does this mean that the trojanDNSchanger is gone from the network? We have another router across the street for our Chrysler showroom, shoud I reset that router as well. Do you need another log? Thanks for all of your work.

Ed

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [ In Progress ] Can't navigate to Windows Update - MSN.com instead
« Reply #19 on: November 24, 2008, 10:16:26 AM »
bte52

You are most welcome.
The other router will not need to be reset unless a PC on that network, begins experiencing probelms.

However it is a good practice to do periodic router resets. Semi-annually or Quarterly.

Please post a fresh Hijackthis log so I can that it is clean.

2008-2010
Rights cannot exist without morals

*

Offline bte52

  • Bronze Member
  • 13
Re: [ In Progress ] Can't navigate to Windows Update - MSN.com instead
« Reply #20 on: November 24, 2008, 10:41:24 AM »
Connected to router:

Malwarebytes' Anti-Malware 1.30
Database version: 1406
Windows 5.1.2600 Service Pack 3

11/24/2008 11:39:27 AM
mbam-log-2008-11-24 (11-39-27).txt

Scan type: Quick Scan
Objects scanned: 57674
Time elapsed: 8 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks again Bamajim!

All Windows Updates now downloaded and installed

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [ In Progress ] Can't navigate to Windows Update - MSN.com instead
« Reply #21 on: November 24, 2008, 10:45:18 AM »
bte52

You may now remove/delete/uninstall the tools we used to clean your PC

Now that your log is clean

There are some final notes:

Lets create a clean System Restore point
The instructions are here

Update your Anti Virus Software

Use and maintain a Firewall

Pick the version that matches your browser

Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basis
  • To a disc or a USB key, not your Hardrive


You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe

2008-2010
Rights cannot exist without morals