Here's the weird thing -- this only happens on my home wifi network. I do not have these problems when I am at work, or even if I use the wifi at Starbucks. But at home, the mischief begins. Symptoms on home wifi (which is WEP encrypted): I can download and install anti-virus software (Malware, Trend Micro, McAfee) but I cannot update -- these are blocked. I cannot download any MS security updates AT HOME. I downloaded and ran the MS updates at work. Nothing was found, including Conficker -- which I suspected because of these symptoms. In addition to my laptop, there are 2 other PCs on my home network -- all show the same symptoms. I've run all scans on all PCs and all say they are clean. But these symptoms persist. What is going on? Is it possible for a worm or a virus to live on my wireless router?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
One other thing - you might try scanning one of the machines with SUPERAntiSpyware (http://www.superantispywa
Someone posted here that SUPERAntiSpyware took care of a similar problem, although it could certainly be something more substantial. http://www.vistaheads.com/
here is what will probably fix it for you.
http://support.microsoft.c
Navigate to your C:\Program Files\WindowsUpdate directory.
You will probably see a V4 and a Cabs subdirectory in addition to
maybe a few dozen files.
Delete all files (don't delete the V4 and the Cabs directory). If
you're nervous about doing that, then make a backup directory there
and move the files into it.
So there should be no files in C:\Program Files\WindowsUpdate.
Go into the V4 directory. There might be a few files there, and maybe
a temp directory. Delete everything (including the temp directory)
EXCEPT for the file iuhist.xml. Then go back into C:\Program
Files\WindowsUpdate. MS says you can delete the Cabs directory, but I
just went into the cabs directory and deleted what was there (1 file I
think).
That's it. Close all IE windows and then open IE and try Windows
Update.
halejr1's suggestion was not helpful
>>Navigate to your C:\Program Files\WindowsUpdate directory.
>>You will probably see a V4 and a Cabs subdirectory in addition to
maybe a few dozen files.
There are no files or folders at all in C:\Program Files\WindowsUpdate on any of my 2 home PCs and my laptop (I made sure that I can view hidden files, folders and Operating System files)
>>Delete everything (including the temp directory) EXCEPT for the file iuhist.xml.
I do not have a iuhist.xml file. I wonder if one of the scans that I've run has deleted everything (McAfee, Trend Micro, Malware, and the MS security updates and malicious software remover)
Don't forget the key mystery here -- when I take my laptop to work, or to Starbucks, etc. I have no problem connecting to http://windowsupdate.micro
Dear jd_programmer1:
I could not download this software (blocked by my malware!) so I had a friend download and email it to me. But, foiled again, during the install the software tried to download the latest definition files and -- of course -- I was blocked again! Do you know if the latest definition files can be downloaded and emailed to me?
>>Someone posted here that SUPERAntiSpyware took care of a similar problem, although it could certainly be something more substantial. http://www.vistaheads.com/
You can manually download the definitions from this link: http://www.superantispywar
FYI, this is off of http://www.superantispywar
Sorry, the second link was supposed to be http://www.superantispywar
Howspa-- based on what you said regarding your "going to work, or starbucks and no problems..." it sounds to me like your DNS from home has been hijacked.... compare your DNS settings when home and away and also do an NSLOOKUP from home to some of these sites that keep failing. i.e.
NSLOOKUP
update.microsoft.com (or a site that's giving you problems) and you should get something similar to this:
C:\Users\blar>nslookup
Default Server: io.mydomain.local
Address: 192.168.55.15
> update.microsoft.com
Server: io.mydomain.local
Address: 192.168.55.15
Non-authoritative answer:
Name: update.microsoft.com.nsatc
Address: 65.55.184.29
Aliases: update.microsoft.com
**************************
if your nameserver is not resolving correctly then you are pointing to the wrong or bad nameserver from your home network. Also this assumes you are not running a local proxy server.
The only thing that's different from home and starbucks is you have a different DHCP source and different local network. Your DHCP source will provide you with an IP address, SNM, default Gateway and DNS / Wins and other entries. I would be interested to see what your IP config /all looks like.
jd_programmer1 suggested that "It is possible for the router to be redirecting the requests, although that is unlikely. Have you tried removing it from the picture and just connecting your laptop straight to your broadband modem?"
I tried this. While it didn't work for my laptop (I couldn't get an IP address), it did work for my desktop. As soon as I bypassed my home network router, I was able to go to updates.microsoft.com, and download approximately 25 updates that I've been blocked from getting over the last year.
So, the problem is my router -- and it has been redirecting me all along!
Do I throw it away and just buy a new one. How do I prevent this from happening again?
Dear halejr1
>>Howspa-- based on what you said regarding your "going to work, or starbucks and no problems..." it sounds to me like your DNS from home has been hijacked.... compare your DNS settings when home and away and also do an NSLOOKUP from home to some of these sites that keep failing. i.e.
I was out of town for a week, so I will do this and send you the results of NSLOOKUP and IPCONFIG from both work and home.
As I said in my previous comment, I bypassed the router and my home desktop was able for the first time in a year to download all the Microsoft updates as well as all of my anti-virus software updates, so the problem was clearly in the router. But doesn't the DHCP source for DNS, etc. all originate from Comcast (my ISP)? How could my DNS be hijacked in the first place?
One more comment about my situation --
I've noticed that when I'm home with my laptop, or on the desktops, I get non-stop banner ads for Vimax penis enlargement pills. This doesn't happen at work or anywhere else. My anti-virus software (and I've tried 3 complete scans from Mcafee, SuperAnti-virus, and Trend Micro) has not impact on the presence of these ubiquitous Vimax banners -- even when I copied the latest pattern files onto these PCs from a memory stick instead of downloading them.
Thanks for any suggestions
Dear halejr1:
>>Howspa-- based on what you said regarding your "going to work, or starbucks and no problems..." it sounds to me like your DNS from home has been hijacked.... compare your DNS settings when home and away and also do an NSLOOKUP from home to some of these sites that keep failing.
See attached word file. I noticed immediately that my DNS server at home was a Ukraine domain and did a Whois (see below). Did these folks hijack my DNS? How do I fix this? THANKS!
IP Information for 85.255.113.2
IP Location: Ukraine Odessa Ukrtelegroup Ltd
Resolve Host: 85.255.113.2.static.ukrtel
IP Address: 85.255.113.2
Blacklist Status: Clear
Whois Record
inetnum: 85.255.112.0 - 85.255.127.255
netname: UkrTeleGroup
descr: UkrTeleGroup Ltd.
admin-c: UA481-RIPE
tech-c: UA481-RIPE
country: UA
org: ORG-UL25-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: UKRTELE-MNT
mnt-routes: UKRTELE-MNT
mnt-domains: UKRTELE-MNT
source: RIPE # Filtered
organisation: ORG-UL25-RIPE
org-name: UkrTeleGroup Ltd.
org-type: LIR
address: UkrTeleGroup Ltd.
Mechnikova 58/5
65029 Odessa
Ukraine
phone: +380487311011
fax-no: +380487502499
mnt-ref: UKRTELE-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
person: Andrew Sotov
address: Mechnikova 58/5 65029 Odessa
abuse-mailbox:
phone: +380631508855
nic-hdl: UA481-RIPE
source: RIPE # Filtered
Hey howspa, sorry for taking so long to get back to you. Since this looks like the problem may indeed be with your router, you should probably look at its DNS settings. It should indeed be pulling these settings from your ISP, but it is possible to set them manually, which may have been done maliciously. You can hard-input the DNS settings from Comcast that you got when you hooked up your desktop directly to the modem, or you could use OpenDNS's servers. (See an easier-than-dirt guide for setting up pretty much any router here https://www.opendns.com/st
If that doesn't work, you could also reset your router back to its factory defaults. It should be able to work with Comcast out of the box, but you will lose any security settings (wireless SSID [network name] and passwords). Can you give us the brand and model number of your router?
Dear jd programmer1
Thanks for your response. I have a Linksys Wireless - G 2.4Ghz 802.11g router at home. I set it up myself (took it out of the box, plugged it in and turned it on -- I didn't hard-input any DNS settings, nor did anyone else). Should I reset my router or just by a new one? Is Linksys more vulnerable than others?
Any comment about the Ukraine based IP that has highjacked my DNS server (see NSLOOKUP below)? Did you see the IP address that my network thinks belongs to update.microsoft.com? Its Google "English". This hijack diverts every attempt to update any security updates or anti-virus pattern files. Nearly all my banner ads seem to be for Vimax penis enlargement -- could this be the purpose of this hijack?
How did Ukrtelegroup Ltd ever take over my DNS in the first place? How come this is beyond the scope of any anti-virus software? After I reset my router, how do I prevent this from happening again?
If a router is compromised like mine, can the perpetrator access the computers on my network (for personal info, identity theft, etc.). In other words, how worried should I be?
NSLOOKUP from my laptop at home:
C:\DOCUME~1\CARL~1.SPA>nslo
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 85.255.116.146: Timed out
Server: 85.255.112.225.static.ukrt
Address: 85.255.112.225
Non-authoritative answer:
Name: update.microsoft.com
Address: 72.14.205.100
To answer your questions in order:
- I would first hard-reset your router. This can be accomplished by poking the small reset hole in the back of the unit (I use a bent paperclip) for 5-10 seconds. Then log in to the router (should be IP address 192.168.1.1 with no user name and password of "admin") and change the password to something more secure. I would also change the SSID (netowork name) and enable encryption. I read that you are using WEP - if you can, you should use something more secure, like WPA.
This process will tell us if the router is indeed "hijacked." If the problems are solved after this, then the router was the culprit. If not, then it's on to other suggestions.
- Linksys routers should not be any more vulnerable than other brands. As long as the default passwords and SSID are changed, then any router should be fairly secure.
- To be honest, I do not know anything in particular about that DNS server. A google for "85.255.112.225" does bring up some malware-related hits, but they point to problems with a PC, not a router. If you have time, you may consider posting a HijackThis log on a legitimate site. My favorite is BleepingComputer - see instructions for doing so at http://www.bleepingcompute
- The banner popups could indeed be caused by the DNS hijack, as legitimate requests could be redirected to those sites, and other sites that you are redirected to may cause the popups, as well.
- I don't know how the DNS could have been hijacked for sure. If the router was hijacked, it was probably due to a default or weak password, or the use of WEP encryption. If it's on the computer side, malware has many great ways of infecting computers. We've recently had quite a problem at work with our corporate antivirus not picking up some malware, which has been quite a pain.
- If the router was compromised, it does not necessarily mean the perpetrator had access to information your computers. If he/she was able to access the router, though, he/she may have had access to the computers. If firewall software was running on the computers, they should be safe. There is no guarantee here. Basically, he/she would have had access to your local network, as if he/she had plugged in to the router or gotten on your wireless. I wouldn't see any reason to be worried, but running a free credit report (www.annualcreditreport.co
I hope that all of this helps. Please feel free to post any more questions.
Hey howspa, sorry for taking so long to get back to you. Since this looks like the problem may indeed be with your router, you should probably look at its DNS settings. It should indeed be pulling these settings from your ISP, but it is possible to set them manually, which may have been done maliciously. You can hard-input the DNS settings from Comcast that you got when you hooked up your desktop directly to the modem, or you could use OpenDNS's servers. (See an easier-than-dirt guide for setting up pretty much any router here https://www.opendns.com/st
Great comments and on a similar but slightly different scenario the same redirect DNS site has manipulated and hard coded DNS settings in a users TCP\IP settings causing the same symptoms. The difference being is that it follows the user regardless of which Internet connection they use. (home, work, coffee shop, etc)
OK, it's solved. Thanks to many of you for your suggestions. While I've fixed everything now, and all symptoms are gone, I still have some doubt about how the situation arose in the first place -- any thoughts would be appreciated as it will help me prevent similar problems going forward. I would like any comments and then I will complete my task by awarding acknowledgements.
1. The DNS1 and DNS2 in my Netsys router for my home network were hard-input. We replaced the router in Dec 2006. We think my 15 year old son looked at the DNS settings in the old router at the time and typed them into the new router. So, they haven't changed in nearly 3 years.
2. Our router password was right out of the box "Admin" with no user name.
3. Unknown to us (until this week), Comcast does not offer home networks static DNS addresses. They are dynamic and update every 2-3 weeks. So, we have not used a real dynamic Comcast DNS for at least 2.5 years!
4. What are the odds that a legitimate Comcast dynamic address in use in Dec 2006, when we installed the new router and hand-input the DNS we found in the old router, was somehow independently hijacked after the fact by UKRTELEGROUP, LTD. from the Ukraine? We think it is more likely that with our non-existent password that our old router was compromised malicioulsy sometime before 12/06 by an automated "bot" looking for off-the-shelf router passwords like ours. Is this possible?
5. The only evidence of malware we've seen over the last couple of years has been 1) the inability to download Microsoft security updates and all anti-virus pattern file updates, and 2) non-stop ubiquitous VIMAX penis enlargement banner ads -- everywhere! (To the great amusement of my 13 year old daughter). Could this be all UKRTELEGROUP LTD was up to?
6. The final last hurdle to clearing this up was suggested by no-one. I repeatedly reset the router, then powered down and back up the router and the Comcast cable modem. But the hand-input DNS1 and DNS2 persisted!!! How could these survive a router re-set? Well, here's the answer (according to Comcast after many calls). I am a Comcast triple-play subscriber - I get my internet, my home phone and my cable TV via Comcast. Because I get my digital phone service through the cable modem, it carries a battery (to prevent phone outage during temporary loss of power). This battery saves the router settings, even after you re-set the router. I had to reset the router AND the cable modem. Once I did this, the router console software came up with 0.0.0.0 for both DNS. When I turned on the cable modem, after a reset, HALLELUJAH, the router inherited the DNS1 and DNS2 dynamically from Comcast and everything was OK.
I was able to do 25 security updates from Microsoft, update all virus scans, and found nothing else malicious. Even the penis ads are completely gone!
So -- I now have the desired result. Does my explanation make sense? How come nobody has ever heard of a compromised home router? I can't tell you how many interactions I had with Trend Micro, and everytime they return to another HijackThis log -- over and over -- without ever solving the problem.
Why don't the anti-virus companies, or even the blogs, have much about this situation?
I await your final comments. Thanks, Everybody!!!!!
Howspa
Again, I am very sorry for taking so long to get back to you, Howspa.
As for points 1-4, I agree that it would be more likely that someone compromised the weak protection on your old router than the possibility of a legitimate Comcast DNS entry being hijacked. It's been years, though, so that is still a possibility, if say someone else purchased the rights to that certain IP address range.
5 - Since both of those issues were related to accessing web services, it may not have been malware at all causing your problems - those could have both been (and likely were) caused by the bad DNS entries.
6 - That is odd that your cable modem would save your DNS settings, which should have been stored on the router (and dynamically set by the modem if the router requested it). I've only seen one modem like that, though, so that's good to remember now. We all learn something new...
Trend Micro probably wanted HJT logs because these problems are so commonly caused by malware, and not problems with routers. To be honest, I've never encountered a compromised router before, so I personally believe the situation is rare. The router manufacturers always recommend changing the default security settings, but few actually heed that advice. Now that you mention it, I'm actually surprised that cases such as these aren't more common. Therefore, if you haven't already, please be sure to change your router password, SSID, and network key!
I'm glad that you were able to rectify the problem. Thanks for your detailed update - half the time I never know how the situation ends when I try to help people here on EE.
Have a great day.
J.D.
Business Accounts
Answer for Membership
by: jd_programmer1Posted on 2009-04-01 at 23:03:42ID: 24046823
It is possible for the router to be redirecting the requests, although that is unlikely. Have you tried removing it from the picture and just connecting your laptop straight to your broadband modem? That would determine whether the problem is with the router or another source, like your ISP (again, quite unlikely, but hey, you never know).