Solved

http://windowsupdate.microsoft.com/ is redirected to Google.com

Posted on 2009-04-01
21
9,666 Views
Last Modified: 2013-12-06
Here's the weird thing -- this only happens on my home wifi network.  I do not have these problems when I am at work, or even if I use the wifi at Starbucks.  But at home, the mischief begins.  Symptoms on home wifi (which is WEP encrypted):  I can download and install anti-virus software (Malware, Trend Micro, McAfee) but I cannot update -- these are blocked.  I cannot download any MS security updates AT HOME.  I downloaded and ran the MS updates at work.  Nothing was found, including Conficker -- which I suspected because of these symptoms.  In addition to my laptop, there are 2 other PCs on my home network -- all show the same symptoms.  I've run all scans on all PCs and all say they are clean.  But these symptoms persist.  What is going on?  Is it possible for a worm or a virus to live on my wireless router?
hijackthis.log
0
Comment
Question by:howspa
  • 10
  • 8
  • 2
  • +1
21 Comments
 
LVL 4

Assisted Solution

by:jd_programmer1
jd_programmer1 earned 400 total points
Comment Utility
It is possible for the router to be redirecting the requests, although that is unlikely. Have you tried removing it from the picture and just connecting your laptop straight to your broadband modem? That would determine whether the problem is with the router or another source, like your ISP (again, quite unlikely, but hey, you never know).
0
 
LVL 4

Expert Comment

by:jd_programmer1
Comment Utility
One other thing - you might try scanning one of the machines with SUPERAntiSpyware (http://www.superantispyware.com/ - the free version will do) and/or MalwareBytes Anti-Malware (http://www.malwarebytes.org/mbam.php - also free).

Someone posted here that SUPERAntiSpyware took care of a similar problem, although it could certainly be something more substantial. http://www.vistaheads.com/forums/microsoft-public-internetexplorer-general/329507-windows-update-redirected-google-cant-fix.html
0
 
LVL 4

Expert Comment

by:jd_programmer1
Comment Utility
OK, it's too late for me - I see that you already have MalwareBytes Anti-Malware in your HJT log, so scratch that one. :)
0
 
LVL 8

Expert Comment

by:halejr1
Comment Utility
here is what will probably fix it for you.

http://support.microsoft.com/kb/193385

Navigate to your C:\Program Files\WindowsUpdate directory.

You will probably see a V4 and a Cabs subdirectory in addition to
maybe a few dozen files.

Delete all files (don't delete the V4 and the Cabs directory). If
you're nervous about doing that, then make a backup directory there
and move the files into it.

So there should be no files in C:\Program Files\WindowsUpdate.

Go into the V4 directory. There might be a few files there, and maybe
a temp directory. Delete everything (including the temp directory)
EXCEPT for the file iuhist.xml. Then go back into C:\Program
Files\WindowsUpdate. MS says you can delete the Cabs directory, but I
just went into the cabs directory and deleted what was there (1 file I
think).

That's it. Close all IE windows and then open IE and try Windows
Update.

0
 

Author Comment

by:howspa
Comment Utility
halejr1's suggestion was not helpful

>>Navigate to your C:\Program Files\WindowsUpdate directory.
>>You will probably see a V4 and a Cabs subdirectory in addition to
maybe a few dozen files.

There are no files or folders at all in C:\Program Files\WindowsUpdate on any of my 2 home PCs and my laptop (I made sure that I can view hidden files, folders and Operating System files)

>>Delete everything (including the temp directory) EXCEPT for the file iuhist.xml.

I do not have a iuhist.xml file.  I wonder if one of the scans that I've run has deleted everything (McAfee, Trend Micro, Malware, and the MS security updates and malicious software remover)

Don't forget the key mystery here -- when I take my laptop to work, or to Starbucks, etc. I have no problem connecting to http://windowsupdate.microsoft.com.  The problem only exists when I boot up and connect via my home network (wifi or ethernet and a Comcast cable modem)
0
 

Author Comment

by:howspa
Comment Utility
Dear jd_programmer1:

I could not download this software (blocked by my malware!) so I had a friend download and email it to me.  But, foiled again, during the install the software tried to download the latest definition files and -- of course -- I was blocked again!  Do you know if the latest definition files can be downloaded and emailed to me?

>>Someone posted here that SUPERAntiSpyware took care of a similar problem, although it could certainly be something more substantial. http://www.vistaheads.com/forums/microsoft-public-internetexplorer-general/329507-windows-update-redirected-google-cant-fix.html
0
 
LVL 4

Expert Comment

by:jd_programmer1
Comment Utility
You can manually download the definitions from this link: http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE

FYI, this is off of http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE. Just in case you don't want to click that link and would rather go from their site. Hopefully this will take care of your issue!
0
 
LVL 4

Expert Comment

by:jd_programmer1
Comment Utility
Sorry, the second link was supposed to be http://www.superantispyware.com/definitions.html. This is just a page about the latest definitions.
0
 
LVL 8

Assisted Solution

by:halejr1
halejr1 earned 100 total points
Comment Utility
Howspa-- based on what you said regarding your "going to work, or starbucks and no problems..." it sounds to me like your DNS from home has been hijacked.... compare your DNS settings when home and away and also do an NSLOOKUP from home to some of these sites that keep failing.  i.e.

NSLOOKUP
update.microsoft.com (or a site that's giving you problems) and you should get something similar to this:
C:\Users\blar>nslookup
Default Server:  io.mydomain.local
Address:  192.168.55.15

> update.microsoft.com
Server:  io.mydomain.local
Address:  192.168.55.15

Non-authoritative answer:
Name:    update.microsoft.com.nsatc.net
Address:  65.55.184.29
Aliases:  update.microsoft.com
****************************************************
if your nameserver is not resolving correctly then you are pointing to the wrong or bad nameserver from your home network.  Also this assumes you are not running a local proxy server.

The only thing that's different from home and starbucks is you have a different DHCP source and different local network.  Your DHCP source will provide you with an IP address, SNM, default Gateway and DNS / Wins and other entries.  I would be interested to see what your IP config /all looks like.
0
 

Author Comment

by:howspa
Comment Utility
jd_programmer1 suggested that "It is possible for the router to be redirecting the requests, although that is unlikely. Have you tried removing it from the picture and just connecting your laptop straight to your broadband modem?"

I tried this.  While it didn't work for my laptop (I couldn't get an IP address), it did work for my desktop.  As soon as I bypassed my home network router, I was able to go to updates.microsoft.com, and download approximately 25 updates that I've been blocked from getting over the last year.

So, the problem is my router -- and it has been redirecting me all along!

Do I throw it away and just buy a new one.  How do I prevent this from happening again?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:howspa
Comment Utility
Dear halejr1

>>Howspa-- based on what you said regarding your "going to work, or starbucks and no problems..." it sounds to me like your DNS from home has been hijacked.... compare your DNS settings when home and away and also do an NSLOOKUP from home to some of these sites that keep failing.  i.e.

I was out of town for a week, so I will do this and send you the results of NSLOOKUP and IPCONFIG from both work and home.

As I said in my previous comment, I bypassed the router and my home desktop was able for the first time in a year to download all the Microsoft updates as well as all of my anti-virus software updates, so the problem was clearly in the router.  But doesn't the DHCP source for DNS, etc. all originate from Comcast (my ISP)?  How could my DNS be hijacked in the first place?
0
 

Author Comment

by:howspa
Comment Utility
One more comment about my situation --

I've noticed that when I'm home with my laptop, or on the desktops, I get non-stop banner ads for Vimax penis enlargement pills.  This doesn't happen at work or anywhere else.  My anti-virus software (and I've tried 3 complete scans from Mcafee, SuperAnti-virus, and Trend Micro) has not impact on the presence of these ubiquitous Vimax banners -- even when I copied the latest pattern files onto these PCs from a memory stick instead of downloading them.

Thanks for any suggestions
0
 

Author Comment

by:howspa
Comment Utility
Dear halejr1:

>>Howspa-- based on what you said regarding your "going to work, or starbucks and no problems..." it sounds to me like your DNS from home has been hijacked.... compare your DNS settings when home and away and also do an NSLOOKUP from home to some of these sites that keep failing.

See attached word file.  I noticed immediately that my DNS server at home was a Ukraine domain and did a Whois (see below).  Did these folks hijack my DNS?  How do I fix this?  THANKS!

IP Information for 85.255.113.2
IP Location:   Ukraine Odessa Ukrtelegroup Ltd  
Resolve Host:  85.255.113.2.static.ukrtelegroup.com.ua  
IP Address:  85.255.113.2      
Blacklist Status:  Clear  

Whois Record
inetnum:        85.255.112.0 - 85.255.127.255
netname:        UkrTeleGroup
descr:          UkrTeleGroup Ltd.
admin-c:        UA481-RIPE
tech-c:         UA481-RIPE
country:        UA
org:            ORG-UL25-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         UKRTELE-MNT
mnt-routes:     UKRTELE-MNT
mnt-domains:    UKRTELE-MNT
source:         RIPE # Filtered

organisation:   ORG-UL25-RIPE
org-name:       UkrTeleGroup Ltd.
org-type:       LIR
address:        UkrTeleGroup Ltd.
                Mechnikova 58/5
                65029 Odessa
                Ukraine
phone:          +380487311011
fax-no:         +380487502499
mnt-ref:        UKRTELE-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered

person:         Andrew Sotov
address:        Mechnikova 58/5 65029 Odessa
abuse-mailbox:  
phone:          +380631508855
nic-hdl:        UA481-RIPE
source:         RIPE # Filtered
 

NSLOOKUP-and-IPCONFIG-from-my-la.docx
0
 
LVL 4

Assisted Solution

by:jd_programmer1
jd_programmer1 earned 400 total points
Comment Utility
Hey howspa, sorry for taking so long to get back to you. Since this looks like the problem may indeed be with your router, you should probably look at its DNS settings. It should indeed be pulling these settings from your ISP, but it is possible to set them manually, which may have been done maliciously. You can hard-input the DNS settings from Comcast that you got when you hooked up your desktop directly to the modem, or you could use OpenDNS's servers. (See an easier-than-dirt guide for setting up pretty much any router here https://www.opendns.com/start/router/).

If that doesn't work, you could also reset your router back to its factory defaults. It should be able to work with Comcast out of the box, but you will lose any security settings (wireless SSID [network name] and passwords). Can you give us the brand and model number of your router?
0
 

Author Comment

by:howspa
Comment Utility
Dear jd programmer1

Thanks for your response.  I have a Linksys Wireless - G 2.4Ghz 802.11g router at home.  I set it up myself (took it out of the box, plugged it in and turned it on -- I didn't hard-input any DNS settings, nor did anyone else).   Should I reset my router or just by a new one?  Is Linksys more vulnerable than others?

Any comment about the Ukraine based IP that has highjacked my DNS server (see NSLOOKUP below)?  Did you see the IP address that my network thinks belongs to update.microsoft.com?  Its Google "English".  This hijack diverts every attempt to update any security updates or anti-virus pattern files.  Nearly all my banner ads seem to be for Vimax penis enlargement -- could this be the purpose of this hijack?

How did Ukrtelegroup Ltd ever take over my DNS in the first place?  How come this is beyond the scope of any anti-virus software?  After I reset my router, how do I prevent this from happening again?

If a router is compromised like mine, can the perpetrator access the computers on my network (for personal info, identity theft, etc.).  In other words, how worried should I be?

NSLOOKUP from my laptop at home:

C:\DOCUME~1\CARL~1.SPA>nslookup update.microsoft.com
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 85.255.116.146: Timed out
Server:  85.255.112.225.static.ukrtelegroup.com.ua
Address:  85.255.112.225

Non-authoritative answer:
Name:    update.microsoft.com
Address:  72.14.205.100
0
 
LVL 4

Accepted Solution

by:
jd_programmer1 earned 400 total points
Comment Utility
To answer your questions in order:

 - I would first hard-reset your router. This can be accomplished by poking the small reset hole in the back of the unit (I use a bent paperclip) for 5-10 seconds. Then log in to the router (should be IP address 192.168.1.1 with no user name and password of "admin") and change the password to something more secure. I would also change the SSID (netowork name) and enable encryption. I read that you are using WEP - if you can, you should use something more secure, like WPA.
This process will tell us if the router is indeed "hijacked." If the problems are solved after this, then the router was the culprit. If not, then it's on to other suggestions.

 - Linksys routers should not be any more vulnerable than other brands. As long as the default passwords and SSID are changed, then any router should be fairly secure.

 - To be honest, I do not know anything in particular about that DNS server. A google for "85.255.112.225" does bring up some malware-related hits, but they point to problems with a PC, not a router. If you have time, you may consider posting a HijackThis log on a legitimate site. My favorite is BleepingComputer - see instructions for doing so at http://www.bleepingcomputer.com/forums/topic34773.html

 - The banner popups could indeed be caused by the DNS hijack, as legitimate requests could be redirected to those sites, and other sites that you are redirected to may cause the popups, as well.

 - I don't know how the DNS could have been hijacked for sure. If the router was hijacked, it was probably due to a default or weak password, or the use of WEP encryption. If it's on the computer side, malware has many great ways of infecting computers. We've recently had quite a problem at work with our corporate antivirus not picking up some malware, which has been quite a pain.

 - If the router was compromised, it does not necessarily mean the perpetrator had access to information your computers. If he/she was able to access the router, though, he/she may have had access to the computers. If firewall software was running on the computers, they should be safe. There is no guarantee here. Basically, he/she would have had access to your local network, as if he/she had plugged in to the router or gotten on your wireless. I wouldn't see any reason to be worried, but running a free credit report (www.annualcreditreport.com) would be smart just in case.

I hope that all of this helps. Please feel free to post any more questions.
0
 

Expert Comment

by:markiv396TIC
Comment Utility
Hey howspa, sorry for taking so long to get back to you. Since this looks like the problem may indeed be with your router, you should probably look at its DNS settings. It should indeed be pulling these settings from your ISP, but it is possible to set them manually, which may have been done maliciously. You can hard-input the DNS settings from Comcast that you got when you hooked up your desktop directly to the modem, or you could use OpenDNS's servers. (See an easier-than-dirt guide for setting up pretty much any router here https://www.opendns.com/start/router/).

Great comments and on a similar but slightly different scenario the same redirect DNS site has manipulated and hard coded DNS settings in a users TCP\IP settings causing the same symptoms. The difference being is that it follows the user regardless of which Internet connection they use. (home, work, coffee shop, etc)
0
 

Author Comment

by:howspa
Comment Utility
OK, it's solved.  Thanks to many of you for your suggestions.  While I've fixed everything now, and all symptoms are gone, I still have some doubt about how the situation arose in the first place -- any thoughts would be appreciated as it will help me prevent similar problems going forward.  I would like any comments and then I will complete my task by awarding acknowledgements.  

1. The DNS1 and DNS2 in my Netsys router for my home network were hard-input.  We replaced the router in Dec 2006.  We think my 15 year old son looked at the DNS settings in the old router at the time and typed them into the new router.  So, they haven't changed in nearly 3 years.

2. Our router password was right out of the box "Admin" with no user name.

3. Unknown to us (until this week), Comcast does not offer home networks static DNS addresses. They are dynamic and update every 2-3 weeks.  So, we have not used a real dynamic Comcast DNS for at least 2.5 years!

4.  What are the odds that a legitimate Comcast dynamic address in use in Dec 2006, when we installed the new router and hand-input the DNS we found in the old router, was somehow independently hijacked after the fact by UKRTELEGROUP,  LTD. from the Ukraine?  We think it is more likely that with our non-existent password that our old router was compromised malicioulsy sometime before 12/06 by an automated "bot" looking for off-the-shelf router passwords like ours.  Is this possible?

5. The only evidence of malware we've seen over the last couple of years has been 1) the inability to download Microsoft security updates and all anti-virus pattern file updates, and 2) non-stop ubiquitous VIMAX penis enlargement banner ads -- everywhere!  (To the great amusement of my 13 year old daughter).  Could this be all UKRTELEGROUP LTD was up to?

6.  The final last hurdle to clearing this up was suggested by no-one.  I repeatedly reset the router, then powered down and back up the router and the Comcast cable modem.  But the hand-input DNS1 and DNS2 persisted!!!  How could these survive a router re-set?  Well, here's the answer (according to Comcast after many calls).  I am a Comcast triple-play subscriber - I get my internet, my home phone and my cable TV via Comcast.  Because I get my digital phone service through the cable modem, it carries a battery (to prevent phone outage during temporary loss of power).  This battery saves the router settings, even after you re-set the router.  I had to reset the router AND the cable modem.  Once I did this, the router console software came up with 0.0.0.0 for both DNS.  When I turned on the cable modem, after a reset, HALLELUJAH, the router inherited the DNS1 and DNS2 dynamically from Comcast and everything was OK.

I was able to do 25 security updates from Microsoft, update all virus scans, and found nothing else malicious.  Even the penis ads are completely gone!

So -- I now have the desired result.  Does my explanation make sense? How come nobody has ever heard of a compromised home router?  I can't tell you how many interactions I had with Trend Micro, and everytime they return to another HijackThis log -- over and over -- without ever solving the problem.

Why don't the anti-virus companies, or even the blogs, have much about this situation?

I await your final comments.  Thanks, Everybody!!!!!

Howspa


0
 

Author Comment

by:howspa
Comment Utility
Although my problem is now solved, I would like any comments regarding my explanation of what happened.  Am I on target, or is part of my story off-base?  (see my previous comment)

Please let me know

Howspa
0
 
LVL 4

Expert Comment

by:jd_programmer1
Comment Utility
Again, I am very sorry for taking so long to get back to you, Howspa.

As for points 1-4, I agree that it would be more likely that someone compromised the weak protection on your old router than the possibility of a legitimate Comcast DNS entry being hijacked. It's been years, though, so that is still a possibility, if say someone else purchased the rights to that certain IP address range.

5 - Since both of those issues were related to accessing web services, it may not have been malware at all causing your problems - those could have both been (and likely were) caused by the bad DNS entries.

6 - That is odd that your cable modem would save your DNS settings, which should have been stored on the router (and dynamically set by the modem if the router requested it). I've only seen one modem like that, though, so that's good to remember now. We all learn something new...

Trend Micro probably wanted HJT logs because these problems are so commonly caused by malware, and not problems with routers. To be honest, I've never encountered a compromised router before, so I personally believe the situation is rare. The router manufacturers always recommend changing the default security settings, but few actually heed that advice. Now that you mention it, I'm actually surprised that cases such as these aren't more common. Therefore, if you haven't already, please be sure to change your router password, SSID, and network key!

I'm glad that you were able to rectify the problem. Thanks for your detailed update - half the time I never know how the situation ends when I try to help people here on EE.

Have a great day.

J.D.
0
 

Author Closing Comment

by:howspa
Comment Utility
Thanks for your help Jd_programmer1 and Halejr1
I would never had figured on a hijacked router DNS without your help!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Change your password...do it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now