Guest Øyvind Granberg Posted November 14, 2008 Posted November 14, 2008 My HiJackThis log do not reveal anything suspecious. Not what I can see. No item in category #017 i listed. Here is teh problem as reported in Malwarebytes: Registerfiler infisert: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0bbac451-a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0bbac451-a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 -> Quarantined and deleted successfully. I have deleted them using MBAM and manually deleting these four or six entries in the registry. No dice!! Somewhere there is a file which reestablishing these registry keys again. Where? -- Vennlig hilsen Øyvind Granberg tresfjording@live.no www.tresfjording.com "David H. Lipman" <DLipman~nospam~@Verizon.Net> skrev i nyhetsmeldingen: ubbZkPgRJHA.3516@TK2MSFTNGP03.phx.gbl ...<span style="color:blue"> > From: "Øyvind Granberg" <tresfjording@live.no> > > | Your procedure involves hundres of MB's to download. > | Aren't we here shooting sparrow with cannons? > > My procedure was for you to post in and Expert Forum and i don't see how > it would require > hundred of MB's of download. > > If you are talking about my Multi AV Scanning Tool, I never suggested you > use it. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Quote
Guest Peter Foldes Posted November 14, 2008 Posted November 14, 2008 And while it is running you are using the computer to post here among other things. Wonderful -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. "Øyvind Granberg" <tresfjording@live.no> wrote in message news:%239I7dhmRJHA.1960@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> >I will... as soon as mr. Lipmans ENORMOUS four step virus killer quest is > over. > > <span style="color:green"> >> You might try reporting the problem in General Malwarebytes' Anti-Malware >> Forum <http://www.malwarebytes.org/forums/index.php?showforum=41> >> >> or via contact page <http://www.malwarebytes.org/contact.php> >> >> They are normally responsive >> >> >> John </span> ></span> Quote
Guest David H. Lipman Posted November 14, 2008 Posted November 14, 2008 From: "Øyvind Granberg" <tresfjording@live.no> | My HiJackThis log do not reveal anything suspecious. | Not what I can see. | No item in category #017 i listed. | Here is teh problem as reported in Malwarebytes: | Registerfiler infisert: | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer | (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 -> | Quarantined and deleted successfully. | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ | 0bbac451-a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer | (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 -> | Quarantined and deleted successfully. | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer | (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 -> | Quarantined and deleted successfully. | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0bbac451- | a3f6-43be-9c01-cfe8c09ad493}\DhcpNameServer | (Trojan.DNSChanger) -> Data: 85.255.112.130 85.255.112.170 1.2.3.4 -> | Quarantined and deleted successfully. | I have deleted them using MBAM and manually deleting these four or six | entries in the registry. | No dice!! | Somewhere there is a file which reestablishing these registry keys again. | Where? Assuming you SOHO Router is at; 192.168.1.1 Go into your router; http://192.168.1.1 and examine the DNS entries. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest FromTheRafters Posted November 14, 2008 Posted November 14, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:ubbZkPgRJHA.3516@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > From: "Øyvind Granberg" <tresfjording@live.no> > > | Your procedure involves hundres of MB's to download. > | Aren't we here shooting sparrow with cannons? > > My procedure was for you to post in and Expert Forum and i don't see how > it would require > hundred of MB's of download. > > If you are talking about my Multi AV Scanning Tool, I never suggested you > use it.</span> To be honest David, I didn't ever see that post to this poster where you suggested the usual expert route. I did see the post by Malke where it is suggested to try your tool. I thought it was strange at the time, but assumed the post you referred to was in a another group or thread which I am not monitoring. ....the way these web to usenet gateways seem to mess up the threading and the way the posters change subjects mid thread make it all a jumble. ....and then there's ~BD~ who does it on purpose. Quote
Guest David H. Lipman Posted November 14, 2008 Posted November 14, 2008 From: "FromTheRafters" <erratic@nomail.afraid.org> | To be honest David, I didn't ever see that post to this poster | where you suggested the usual expert route. I did see the | post by Malke where it is suggested to try your tool. | I thought it was strange at the time, but assumed the post you | referred to was in a another group or thread which I am not | monitoring. | ...the way these web to usenet gateways seem to mess up the | threading and the way the posters change subjects mid thread | make it all a jumble. | ...and then there's ~BD~ who does it on purpose. Posted in; alt. comp. anti-virus Post subject: Re: I can't download... Date; Sunday, November 09, 2008 3:01 PM He posted (my time) at 2:54 PM just minutes befor posting Posted in; microsoft.public.security.virus Post Subject: Do I have a virus? Date: Sunday, November 09, 2008 2:58 PM Basically your Multi-Post with two different subjects. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest FromTheRafters Posted November 15, 2008 Posted November 15, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:exdjanqRJHA.6060@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > From: "FromTheRafters" <erratic@nomail.afraid.org> > > > > | To be honest David, I didn't ever see that post to this poster > | where you suggested the usual expert route. I did see the > | post by Malke where it is suggested to try your tool. > > | I thought it was strange at the time, but assumed the post you > | referred to was in a another group or thread which I am not > | monitoring. > > | ...the way these web to usenet gateways seem to mess up the > | threading and the way the posters change subjects mid thread > | make it all a jumble. > > | ...and then there's ~BD~ who does it on purpose. > > > Posted in; alt. comp. anti-virus > Post subject: Re: I can't download... > Date; Sunday, November 09, 2008 3:01 PM > > He posted (my time) at 2:54 PM just minutes befor posting > > Posted in; microsoft.public.security.virus > Post Subject: Do I have a virus? > Date: Sunday, November 09, 2008 2:58 PM > > Basically your Multi-Post with two different subjects.</span> Thanks, I suspected as much. Quote
Guest ~BD~ Posted November 16, 2008 Posted November 16, 2008 Hello again Øyvind - How are things going? Have you had to wield your mighty sword yet? <grin> Dave -- Quote
Guest ~BD~ Posted November 16, 2008 Posted November 16, 2008 "~BD~" <~BD~@no.mail.afraid.com> wrote in message news:OnH4lmASJHA.5348@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > > Hello again Øyvind - How are things going? > > Have you had to wield your mighty sword yet? <grin> > > Dave > > -- > ></span> Maybe this will help <smile> (A post by Bill Castner of Aumha.net http://www.aumha.net/viewtopic.php?f=30&t=36886 ) There is a widespread DNS Hijacker going around that requires unusual measures to resolve. By posting this in a single and editable location, it I hope is a convenience to both me, and the Forum. How Do You Know If You Have This Malware Infection? While the adware it will popup is aggressively more so than typical adware infections, the DNS redirection is easy to test. Try the following in your Browser address bar: download.microsoft.com If you end up anywhere other than the official Microsoft Download Center, keep reading. For all others, you may have something else. So Now What? 1. Create a "tookit". Download the following to your Desktop and not any other location or Folder: GMER: http://www.gmer.net/index.php Malwarebytes Anti-Malware -- MBAM (if you have this installed, Uninstall it and download it again): http://www.malwarebytes.org/mbam.php PrevX CSI: http://www.prevx.com/freescan.asp 2. Run MBAM. If it wants to reboot when finished, do so. 3. Run Prevx CSI. If it wants to reboot when finished do so. 4. Make sure you know the setup information for your router. You want to access the router configuration pages, and write down any information necessary to authenticate with your ISP. Please write this down, if you do not have a record elsewhere of this information. When in doubt, call your ISP and ask what is needed in the authentication fields of the router. 4. Shut down your computer, and any other computer connected to your router. 5. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds. Unplug the router. Wait sixty seconds. Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again. 6. With the router unplugged, start your computer. Run MBAM again. 7. Run Prevx CSI again. 8. Connect again to the router. The turn the router back on. When it stabilizes, reboot your workstation and try to aceess the internet. If you have any issues, access the Router configuration page and re-enter your authentication information. 9. Reboot the workstation and do a final test. Special Note and Reading List: Several folks have asked why they have to RESET the router. And how on earth could malware effect the router in the first place? There are, that I have seen in the last week, in wide distribution, at least four malware infections, one rootkit-based, that at present do exactly this; and have since the last week in October. As to how this can be done, please read this short Article: http://www.geekstogo.com/2008/04/08/hav ... read-this/ Does this mean you throw out your router and replace it? No. You do at least the RESET operation I described above. If you are exceedling cautious about the matter, visit your router manufacturer's website and download the newest firmware release for your router. Then reflash the router firmware. Since there are literally thousands of router models out there, I cannot advise you about how to reflash your router firmware. The manufacturer's website should have utilities and instructions for doing so. I cannot answser any specific questions as to how to do this. In most cases, I consider a reflash of the firmware unnecessary. Quote
Guest David H. Lipman Posted November 16, 2008 Posted November 16, 2008 From: "~BD~" <~BD~@no.mail.afraid.com> < snip > | Several folks have asked why they have to RESET the router. And how on earth | could malware effect the router in the first place? There are, that I have | seen in the last week, in wide distribution, at least four malware | infections, one rootkit-based, that at present do exactly this; and have | since the last week in October. As to how this can be done, please read this | short Article: http://www.geekstogo.com/2008/04/08/hav ... read-this/ | Does this mean you throw out your router and replace it? No. You do at least | the RESET operation I described above. If you are exceedling cautious about | the matter, visit your router manufacturer's website and download the newest | firmware release for your router. Then reflash the router firmware. Since | there are literally thousands of router models out there, I cannot advise | you about how to reflash your router firmware. The manufacturer's website | should have utilities and instructions for doing so. I cannot answser any | specific questions as to how to do this. In most cases, I consider a reflash | of the firmware unnecessary. What is NOT mentioned and should have been is that the SOHO Router should be enabled with a Strong Password. I agree that flashing the Router's FirmWare is not needed. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest ~BD~ Posted November 16, 2008 Posted November 16, 2008 FYI David - I've just finished a scan with the Windows Live Safety Scanner There were some minor Registry errors but of more concern was notification of the presence of 'Trojan Win32/AgentBypass.gen!k' details of which I found here:- http://onecare.live.com/site/en-gb/virusen...entBypass.gen!K Port 80 was also found Open. The price of experimentation I suppose! <s> Dave -- "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:OH3%23LHBSJHA.5860@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > From: "~BD~" <~BD~@no.mail.afraid.com> > > > < snip > > > | Several folks have asked why they have to RESET the router. And how on > earth > | could malware effect the router in the first place? There are, that I > have > | seen in the last week, in wide distribution, at least four malware > | infections, one rootkit-based, that at present do exactly this; and have > | since the last week in October. As to how this can be done, please read > this > | short Article: http://www.geekstogo.com/2008/04/08/hav ... read-this/ > > | Does this mean you throw out your router and replace it? No. You do at > least > | the RESET operation I described above. If you are exceedling cautious > about > | the matter, visit your router manufacturer's website and download the > newest > | firmware release for your router. Then reflash the router firmware. > Since > | there are literally thousands of router models out there, I cannot > advise > | you about how to reflash your router firmware. The manufacturer's > website > | should have utilities and instructions for doing so. I cannot answser > any > | specific questions as to how to do this. In most cases, I consider a > reflash > | of the firmware unnecessary. > > > What is NOT mentioned and should have been is that the SOHO Router should > be enabled with > a Strong Password. > > I agree that flashing the Router's FirmWare is not needed. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Quote
Guest Øyvind Granberg Posted November 17, 2008 Posted November 17, 2008 Re: dnsChange virus SOLVED... Hi !! I am glad to inform you that I have taken care of the Zlob.dnschanger trojan. It's a trojan and therefore not contageous as viruses are. You have to taken some action yourself in order to get it. It has changed the configuration in my Linksys wireless router to detour all traffic to their pages. Se this link for mor info: http://tresfjording.com/docs/2008-11-16_165353.png All I did was to log on to the router, change all numbers in all three Static DNS #1, 2 and 3 to null. Then I changed the password... very important! After that I ran Malwarebyte Anti Malware and it found two instances of malware which it successfully removed. This procedure fixed all eight laptops and the desktop in the household. This information for your convenience! This is a fairly new method of messing up your computer and it takes advantage of sloppy wireless router owner still running behind the well known factory password. Also if you like me accidently tap in the info when a dialog box asks for it, please kick yourself in the butt! Hard! Then trojan reports computer activity and keyloggs to its principals. I am glad I worked it out. All systems green still five hours after the cleaning.... Have a nice day! -- Vennlig hilsen Øyvind Granberg tresfjording@live.no www.tresfjording.com "The only thing between me and my goals is my own ignorance" (granberg - 2008) Quote
Guest Øyvind Granberg Posted November 17, 2008 Posted November 17, 2008 The problem is that it changes the DNS entries in your wireless router, not your ADSL router, and every time MBAM deleted registry entries, it reintated them through the web pages those new DNS adresse pointed to. See my latest reply to this thread and spred the word. --øg-- A not so perturbed Norwegian Viking! My sword is still sharp... :-) Quote
Guest David H. Lipman Posted November 17, 2008 Posted November 17, 2008 From: "Øyvind Granberg" <tresfjording@live.no> | The problem is that it changes the DNS entries in your wireless router, not | your ADSL router, and every time MBAM deleted registry entries, it reintated | them through the web pages those new DNS adresse pointed to. | See my latest reply to this thread and spred the word. Wired or wireles... NO DIFFERENCE! As I stated a SOHO Router. SOHO -- Small Office Home Office. As I posted earlier, the DNSChanger injects a DLL into the Windows Spooler Service. The Spooler Service is restarted and it communicates to the Router. It doesn't make a difference if you are wred throufg a RJ45 Ethernet port or if you attached wirelessly. The Spooler Service is hijacked (so to speak) and communicates to the router such as 192.168.1.1 It will then use a dictionary of known passwords (or other methodology) to gain access to the Routers DNS entrries. Once the DNSChanger modifies the DNS table of the Router any node that obtains an IP address from the Router via DHCP will gain the DNS entries the trojan has entered. Thus any device that obtains a DHCP lease from the Router will be using the DNS entries the trojan has inserted. There are Routers that combine a DSL modem with a Router such as a a Westell 6100 and there are standalone Routers from DLink, Linksys, Netgear, etc. All are affected IFF the user uses the manufacturers default password. As of yet, I have not heard of uPnP or protocols being used to bypass authentication at TCP port 80. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Leythos Posted November 17, 2008 Posted November 17, 2008 Re: dnsChange virus SOLVED... In article <05A65F46-F934-47B7-839E-FDA3B7C99F69@microsoft.com>, tresfjording@live.no says...<span style="color:blue"> > I am glad to inform you that I have taken care of the Zlob.dnschanger > trojan. It's a trojan and therefore not contageous as viruses are. You have > to taken some action yourself in order to get it. > > It has changed the configuration in my Linksys wireless router to detour all > traffic to their pages. > Se this link for mor info: > http://tresfjording.com/docs/2008-11-16_165353.png > </span> If you had disabled UPNP, not used the default network subnet, not used the default password or not provided the password to some program, it could not have changed it. Disable UPNP, change from 192.168.0.1 to 192.168.128.1 on the router, change the password, update the firmware if possible. -- - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) Quote
Guest Øyvind Granberg Posted November 17, 2008 Posted November 17, 2008 Re: dnsChange virus SOLVED... I'll look into that... -- Vennlig hilsen Øyvind Granberg tresfjording@live.no www.tresfjording.com "Leythos" <spam999free@rrohio.com> skrev i nyhetsmeldingen: MPG.238aad60d8793a2a9896eb@us.news.astraweb.com ...<span style="color:blue"> > > Disable UPNP, change from 192.168.0.1 to 192.168.128.1 on the router, > change the password, update the firmware if possible. > > > -- > - Igitur qui desiderat pacem, praeparet bellum. > - Calling an illegal alien an "undocumented worker" is like calling a > drug dealer an "unlicensed pharmacist" > spam999free@rrohio.com (remove 999 for proper email address) </span> Quote
Guest David H. Lipman Posted November 17, 2008 Posted November 17, 2008 Re: dnsChange virus SOLVED... From: "Leythos" <spam999free@rrohio.com> | If you had disabled UPNP, not used the default network subnet, not used | the default password or not provided the password to some program, it | could not have changed it. | Disable UPNP, change from 192.168.0.1 to 192.168.128.1 on the router, | change the password, update the firmware if possible. Flashing the FirmWare is not needed. As of yet, I have not heard of uPnP or other protocols being used to bypass authentication at TCP port 80. This trojan uses a luandry list of known default passwords. I don't think that changing the default IP address would help. Lets assume that you did and the default password was still in place. Nodes getting a DHCP lease would obtain the IP address of the Router and the trojan would still exploit the weak and known password. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Leythos Posted November 17, 2008 Posted November 17, 2008 Re: dnsChange virus SOLVED... In article <OXQsujGSJHA.4212@TK2MSFTNGP03.phx.gbl>, DLipman~nospam~@Verizon.Net says...<span style="color:blue"> > From: "Leythos" <spam999free@rrohio.com> > > > | If you had disabled UPNP, not used the default network subnet, not used > | the default password or not provided the password to some program, it > | could not have changed it. > > | Disable UPNP, change from 192.168.0.1 to 192.168.128.1 on the router, > | change the password, update the firmware if possible. > > > Flashing the FirmWare is not needed. > > As of yet, I have not heard of uPnP or other protocols being used to bypass authentication > at TCP port 80. This trojan uses a luandry list of known default passwords. > > I don't think that changing the default IP address would help. Lets assume that you did > and the default password was still in place. Nodes getting a DHCP lease would obtain the > IP address of the Router and the trojan would still exploit the weak and known password.</span> My suggestions date back ages. The malware, in the older days, would use the default subnet of 192.168.0.1 and 192.168.1.1 to attempt connections and then use the default passwords. Some tools like AOL use to publish would ask for the password and then configure the router - I had read about that being exploited because of UPNP. -- - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) Quote
Guest Kayman Posted November 17, 2008 Posted November 17, 2008 Re: dnsChange virus SOLVED... On Sun, 16 Nov 2008 23:33:50 -0500, Leythos wrote: <span style="color:blue"> > In article <OXQsujGSJHA.4212@TK2MSFTNGP03.phx.gbl>, > DLipman~nospam~@Verizon.Net says...<span style="color:green"> >> From: "Leythos" <spam999free@rrohio.com> >> >> >>| If you had disabled UPNP, not used the default network subnet, not used >>| the default password or not provided the password to some program, it >>| could not have changed it. >> >>| Disable UPNP, change from 192.168.0.1 to 192.168.128.1 on the router, >>| change the password, update the firmware if possible. >> >> >> Flashing the FirmWare is not needed. >> >> As of yet, I have not heard of uPnP or other protocols being used to bypass authentication >> at TCP port 80. This trojan uses a luandry list of known default passwords. >> >> I don't think that changing the default IP address would help. Lets assume that you did >> and the default password was still in place. Nodes getting a DHCP lease would obtain the >> IP address of the Router and the trojan would still exploit the weak and known password.</span></span> <span style="color:blue"> > My suggestions date back ages. The malware, in the older days,...</span> LOL! <snipped> Quote
Guest Leythos Posted November 17, 2008 Posted November 17, 2008 Re: dnsChange virus SOLVED... In article <OQdAIxJSJHA.4148@TK2MSFTNGP03.phx.gbl>, kaymanDeleteThis@operamail.com says...<span style="color:blue"> > On Sun, 16 Nov 2008 23:33:50 -0500, Leythos wrote: > <span style="color:green"> > > In article <OXQsujGSJHA.4212@TK2MSFTNGP03.phx.gbl>, > > DLipman~nospam~@Verizon.Net says...<span style="color:darkred"> > >> From: "Leythos" <spam999free@rrohio.com> > >> > >> > >>| If you had disabled UPNP, not used the default network subnet, not used > >>| the default password or not provided the password to some program, it > >>| could not have changed it. > >> > >>| Disable UPNP, change from 192.168.0.1 to 192.168.128.1 on the router, > >>| change the password, update the firmware if possible. > >> > >> > >> Flashing the FirmWare is not needed. > >> > >> As of yet, I have not heard of uPnP or other protocols being used to bypass authentication > >> at TCP port 80. This trojan uses a luandry list of known default passwords. > >> > >> I don't think that changing the default IP address would help. Lets assume that you did > >> and the default password was still in place. Nodes getting a DHCP lease would obtain the > >> IP address of the Router and the trojan would still exploit the weak and known password.</span></span> > <span style="color:green"> > > My suggestions date back ages. The malware, in the older days,...</span> > > LOL! > > <snipped></span> You make think it's funny, but there are people still being hacked by it. -- - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) Quote
Guest ~BD~ Posted November 18, 2008 Posted November 18, 2008 Re: dnsChange virus SOLVED... Congratulations, Øyvind - I'll bet that you are pleased! ;-) Btw - what is the equivalent English equivalent of your first name? I discovered that Øyvind is from the Old Norse name Eyvindr, which was derived from ey meaning "island" and vindr possibly meaning "victory" or "wind". Just wondering. Dave Quote
Guest BoaterDave Posted November 20, 2008 Posted November 20, 2008 On 17 Nov, 03:02, "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote:<span style="color:blue"> > From: "Øyvind Granberg" <tresfjord...@live.no> > > | The problem is that it changes the DNS entries in your wireless router, not > | your ADSL router, and every time MBAM deleted registry entries, it reintated > | them through the web pages those new DNS adresse pointed to. > > | See my latest reply to this thread and spred the word. > > Wired or wireles... NO DIFFERENCE! > > As I stated a SOHO Router.  SOHO -- Small Office Home Office. > > As I posted earlier, the DNSChanger injects a DLL into the Windows Spooler Service.  The > Spooler Service is restarted and it communicates to the Router.  It doesn't make a > difference if you are wred throufg a RJ45 Ethernet port or if you attached wirelessly. > The Spooler Service is hijacked (so to speak) and communicates to the router such as > 192.168.1.1  It will then use a dictionary of known passwords (or other methodology) to > gain access to the Routers DNS entrries.  Once the DNSChanger modifies the DNS table of > the Router any node that obtains an IP address from the Router via DHCP will gain the DNS > entries the trojan has entered.  Thus any device that obtains a DHCP lease from the > Router will be using the DNS entries the trojan has inserted. > > There are Routers that combine a DSL modem with a Router such as a a Westell 6100 and > there are standalone Routers from DLink, Linksys, Netgear, etc.  All are affected IFF the > user uses the manufacturers default password. > > As of yet, I have not heard of uPnP or protocols being used to bypass authentication at > TCP port 80. > > -- > Davehttp://www.claymania.com/removal-trojan-adware.html > Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp</span> Hello Daid H Lipman style_emoticons/ This URL has recently come to my attention: http://www.ezlan.net/index.html#Wireless Its title is 'Networking for Home & SOHO' The ezlan.net site overall appears to have a great deal of useful information, yet I have never happened upon it before. I should be most grateful if you would confirm (or otherwise) that this is a genuine site and not 'a wolf in sheep's clothing'. If you do not know, I suspect you might know someone who does. style_emoticons/ Thanks Dave -- Quote
Guest Øyvind Granberg Posted November 22, 2008 Posted November 22, 2008 Re: dnsChange virus SOLVED... Well BD... You've got it almost right. In fact you've got it right. But I like to use an interpretation of my name where Øy- is a rewrite or modernization of old Norse Ey- meaning island. The second part is -vind,as you mentioned derived from windr, meaning wind. But the context of the name is probably the name of a warrior who swept across the islands like a wind. I think it sounds better! To be named after a warrior and not a breeze of light air :-) There is, to my knowledge, a English equivalent, but the pronunciation is very close to the Russian name Ivan. -- Vennlig hilsen Øyvind Granberg tresfjording@live.no www.tresfjording.com "~BD~" <~BD~@no.mail.afraid.com> skrev i nyhetsmeldingen: ubTH4NaSJHA.4452@TK2MSFTNGP03.phx.gbl ...<span style="color:blue"> > Congratulations, Øyvind - I'll bet that you are pleased! ;-) > > Btw - what is the equivalent English equivalent of your first name? I > discovered that Øyvind is from the Old Norse name Eyvindr, which was > derived from ey meaning "island" and vindr possibly meaning "victory" or > "wind". Just wondering. > > Dave > </span> Quote
Guest ~BD~ Posted November 24, 2008 Posted November 24, 2008 Re: dnsChange virus SOLVED... I assumed that you meant that there is NO English equivalent. Thanks for your explanation - I shall remember you as Ivan the Terrible! Or maybe Oyvan ........... if said with an Irish lilt! Dave -- "Øyvind Granberg" <tresfjording@live.no> wrote in message news:2DD0C245-151A-4A3C-9FF6-6DA02686D74C@microsoft.com...<span style="color:blue"> > Well BD... > > You've got it almost right. > In fact you've got it right. > But I like to use an interpretation of my name where Øy- is a rewrite or > modernization of old Norse Ey- meaning island. > The second part is -vind,as you mentioned derived from windr, meaning > wind. > But the context of the name is probably the name of a warrior who swept > across the islands like a wind. > I think it sounds better! To be named after a warrior and not a breeze of > light air :-) > > There is, to my knowledge, a English equivalent, but the pronunciation is > very close to the Russian name Ivan. > > > -- > > Vennlig hilsen > Øyvind Granberg > > tresfjording@live.no > www.tresfjording.com > > "~BD~" <~BD~@no.mail.afraid.com> skrev i nyhetsmeldingen: > ubTH4NaSJHA.4452@TK2MSFTNGP03.phx.gbl ...<span style="color:green"> >> Congratulations, Øyvind - I'll bet that you are pleased! ;-) >> >> Btw - what is the equivalent English equivalent of your first name? I >> discovered that Øyvind is from the Old Norse name Eyvindr, which was >> derived from ey meaning "island" and vindr possibly meaning "victory" or >> "wind". Just wondering. >> >> Dave >> </span></span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.