Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Problem With Pop Ups And Search Engine Results Being Re-directed [RESO


  • This topic is locked This topic is locked

#31
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Ooh I was in rush on that last one look at the spelling errors :)

As you may gather this is the first time I have come across this one but way back in May we did make a note of it HERE which I read and then as I never came across it promptly forgot :)


Right then lets see if we can now clear it

Disconnect all systems from the router both wireless and ethernet then run MBAM twice on each system (including the laptop), once to kill it and once to be sure

Then

It sounds like a case of Zlob/DNSchanger that change the router's DNS settings. I have yet to deal with a case like this, but from what I gather you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If the user doesnít know the router's default password, he/she can look it up HERE

However, if there are other Zlob-infected machines using the same router, they will need to be cleared before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. The user will also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. They may also need to consult with their Internet service provider to find out which DNS servers your network should be using.

I have just had a look at my netgear router and it has a small hole exactly as described so I would imagine yours is similar

Your DNS value should be 64.59.144.92

Any questions then please shout - I am discussing this with other experts at the moment
  • 0

Advertisements


#32
Michael_888

Michael_888

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Okay I disconnected all 3 pcís and ran Malwarebytes two times, and made sure that they were all clear. Oh and donít worry about the spelling mistakes, we are all human :). Well I was pretty shocked that this thing has been so hard to rid of, any time I have dealt with a problem, I usually was able to fix it myself, but this one just wouldnít quit, so I had a feeling it was something sneaky. No worries I hope all this helps now, I have a feeling we finally solved it. I have a question, there used to be a MAC hooked up to the router, not any more but it will be hooked up again in the future. It had the same issues, will I need to run something on the MAC before hooking it up to router? Hmm I donít know if you can answer that, but I hope so because I know nothing about MAC.

I have reset the router with no problems because Iíve had to do it before, so that should be fine. Disconnected it, and the power, put the power back and reset it a few times to make sure it was reset. I do know the default password, so that shouldnít be too much trouble, but on resetting the security settings, do you mean on the router? If so I can probably put it back how it was. I do have another question though. What exactly do you mean by the DNS Value being 64.59.144.92 and how do I do that?

Edit:

I am in the routers basic settings, I renamed it and changed the Local IP address as suggested by one of your links on this issue. Should I disable the DHCP server?

Edited by Michael_888, 26 August 2008 - 01:13 PM.

  • 0

#33
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

have reset the router with no problems because Iíve had to do it before, so that should be fine. Disconnected it, and the power, put the power back and reset it a few times to make sure it was reset. I do know the default password, so that shouldnít be too much trouble, but on resetting the security settings, do you mean on the router? If so I can probably put it back how it was

Yes you will now need to make your router secure as the Zlob trojan used the default password to gain access and change the settings The way to change it for a Linksys is shown in this video

Ref the DNS value that is the address that your router connects to to resolve names, but I believe it will do that automatically - so ignore that part

As for the Mac I believe that windows viruses/malware do not work on them. So if the router is clear so should your Mac

This has been a learning curve for me as well as this is my first case. However, next time should be easier now I know how the infection behaves and shows itself

When you have reset your router could you go online and see if it really has gone and let me know, then I will tidy up after me.

I am in the routers basic settings, I renamed it and changed the Local IP address as suggested by one of your links on this issue. Should I disable the DHCP server?

I will need to ask a network expert on that .. Although the way I am going I will soon know a lot more :)
  • 0

#34
Michael_888

Michael_888

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I think that everything is finally okay! Thanks so much, I will just do whatever is left to protect my router from future attacks when you replay back. I really appreciate all the help, we finally nailed this thing. All my updates work now, I suppose when the fake DSN was being re-directed, it was blocking access to Microsoft updates so I wouldn't be able to update. Problem fixed now!

Anyways, you were a really big help Essexboy, I can't thank you enough, I tried to fix this problem once before, but the person was not able to help! Now I just need to make sure that no one can get on here again, and I just hope that all my passwords and things are safe, I might have to change them just to be sure.

Like I said I might not be an expert, but I had a sneaky suspicion that the problem had to do with my router, since the internet was found as the reason for the return of the infection. And I am glad I helped you figure it out, maybe now you will be able to help more people if this problem should ever happen to someone else.


Edit

I changed the default password, so now it should be more safe.

Edited by Michael_888, 26 August 2008 - 01:33 PM.

  • 0

#35
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Excellent - as soon as I get a reply about the DHCP server I will let you know :)
Thank you for this learning experience and adding to my knowledge

Now the best part of the day ----- Your log now appears clean :)

A good workman allways cleans up after himself so...Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done

VISTA
To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive i.e. C
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete
You are now done
Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :)
  • 0

#36
Michael_888

Michael_888

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hmm yeah I don't think I am going to disable the DHCP server, I think the changes I made should be good. Thanks again, and I will go ahead and change all the passwords to the sites I used while I was infected.
  • 0

#37
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP