router name changed

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

rumbleON

Thread Starter
Joined
Jan 24, 2007
Messages
7
Posts: 2
Join Date: Jan 2007
Experience: Intermediate

While looking at a Zone-Alarm log I saw a blocked packet to "g2.armygrade.com", curious I googled same with no result and then googled "armygrade.com" and found pages on a thread in a security forum.

When I type in "g2.armygrade.com", to my address bar I am taken to my router control panel a destination I usually reach with the address "192.168.1.1". My router is an Actiontec M1424WR. A wireless broadband router.

Some investigation revealed that "armygrade.com" is a domain registered thru "godaddy.com" by a company called "Domain by Proxy" or I guess an anonymous domain provider.

I can still access my router control panel and nothing appears to have been changed. My question is whether you have seen this before and have I been hacked.

Here is an hijack file.

Logfile of HijackThis v1.99.1
Scan saved at 7:44:18 PM, on 1/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\XoftSpySE\xoftspy.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\xxxx\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [C-Media Echo Control] "C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ws-i586-jc.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I reset my router and the same thing still occurs. Please advise.


------------------
Time of this report: 1/24/2007, 20:20:03
Machine name: MYCOMPUTER
Operating System: Windows XP Professional (5.1, Build 2600) Service Pack 2 (2600.xpsp_sp2_gdr.050301-1519)
Language: English (Regional Setting: English)
System Manufacturer: ATI___
System Model: AWRDACPI
BIOS: Phoenix - AwardBIOS v6.00PG
Processor: Intel(R) Pentium(R) D CPU 2.80GHz (2 CPUs)
Memory: 2046MB RAM
Page File: 250MB used, 3689MB available
Windows Dir: C:\WINDOWS
DirectX Version: DirectX 9.0c (4.09.0000.0904)
DX Setup Parameters: Not found
DxDiag Version: 5.03.2600.2180 32bit


Armygrade.com resolves as -192.168.1.1- an I.P. that is not supposed to be in the public domain . Armygrade.com is hosted by an outfit called Steadfast.com which is where your taken if you type armygrade.com into your address bar.

Tech support at steadfast confirmed hosting army but couldn't say why they would have an supposedly reserved IP address. Then too, why have a domain name that doesn't take you anywhere except the homepage of your hosting company. My head is spinning.

I hope someone can shed some light on this.

Thanks
rumbleON
 
Joined
Aug 5, 2004
Messages
132
Kinda weird, did a reverse DNS lookup on g2.armygrade.com, and it does resolve to 192.168.1.1. I would open the config on my router, and make sure it is not listed in the domain setting. Then, I would go to a command prompt and clear the dns cache; "ipconfig /flushdns & ipconfig /registerdns".

Also, if you type ipconfig /all from a command prompt, what domain does it show where it says Connection specific DNS suffix?
 

rumbleON

Thread Starter
Joined
Jan 24, 2007
Messages
7
Ok flushed and reconfigured ok, didn't look at conn till after and it says the name is home
 

rumbleON

Thread Starter
Joined
Jan 24, 2007
Messages
7
Just typed "g2.armygrade.com" into browser and got my router control panel again. AAArrrrgggggghhhhhhhhhh!!!!!!!!!!!

Verizon says they don't know anything but not to worry---when things are weird I worry. I have no valuble info in system but still don't like this.

Think I may contact IANA and ask how someone could register this IP to a private domain.
 
Joined
Mar 12, 2002
Messages
5,520
Don't feel bad, when I type in that address it puts me into my router too :D...

Looks like someone has registered a domain g2.armygrade.com with the wrong address...
 

rumbleON

Thread Starter
Joined
Jan 24, 2007
Messages
7
OK...I guess it's nothing nefarious but it sure doesn't make any sense. Anyone in charge of registering domains would surely know that IP is in a block of reserved numbers.

Thanks to those that answered this post.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top