1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

router name changed

Discussion in 'Networking' started by rumbleON, Jan 25, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. rumbleON

    rumbleON Thread Starter

    Joined:
    Jan 24, 2007
    Messages:
    7
    Posts: 2
    Join Date: Jan 2007
    Experience: Intermediate

    While looking at a Zone-Alarm log I saw a blocked packet to "g2.armygrade.com", curious I googled same with no result and then googled "armygrade.com" and found pages on a thread in a security forum.

    When I type in "g2.armygrade.com", to my address bar I am taken to my router control panel a destination I usually reach with the address "192.168.1.1". My router is an Actiontec M1424WR. A wireless broadband router.

    Some investigation revealed that "armygrade.com" is a domain registered thru "godaddy.com" by a company called "Domain by Proxy" or I guess an anonymous domain provider.

    I can still access my router control panel and nothing appears to have been changed. My question is whether you have seen this before and have I been hacked.

    Here is an hijack file.

    Logfile of HijackThis v1.99.1
    Scan saved at 7:44:18 PM, on 1/24/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Eraser\eraser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\XoftSpySE\xoftspy.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\Documents and Settings\xxxx\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O4 - HKLM\..\Run: [C-Media Echo Control] "C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ws-i586-jc.cab
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    I reset my router and the same thing still occurs. Please advise.


    ------------------
    Time of this report: 1/24/2007, 20:20:03
    Machine name: MYCOMPUTER
    Operating System: Windows XP Professional (5.1, Build 2600) Service Pack 2 (2600.xpsp_sp2_gdr.050301-1519)
    Language: English (Regional Setting: English)
    System Manufacturer: ATI___
    System Model: AWRDACPI
    BIOS: Phoenix - AwardBIOS v6.00PG
    Processor: Intel(R) Pentium(R) D CPU 2.80GHz (2 CPUs)
    Memory: 2046MB RAM
    Page File: 250MB used, 3689MB available
    Windows Dir: C:\WINDOWS
    DirectX Version: DirectX 9.0c (4.09.0000.0904)
    DX Setup Parameters: Not found
    DxDiag Version: 5.03.2600.2180 32bit


    Armygrade.com resolves as -192.168.1.1- an I.P. that is not supposed to be in the public domain . Armygrade.com is hosted by an outfit called Steadfast.com which is where your taken if you type armygrade.com into your address bar.

    Tech support at steadfast confirmed hosting army but couldn't say why they would have an supposedly reserved IP address. Then too, why have a domain name that doesn't take you anywhere except the homepage of your hosting company. My head is spinning.

    I hope someone can shed some light on this.

    Thanks
    rumbleON
     
  2. N E Key

    N E Key

    Joined:
    Aug 5, 2004
    Messages:
    132
    Kinda weird, did a reverse DNS lookup on g2.armygrade.com, and it does resolve to 192.168.1.1. I would open the config on my router, and make sure it is not listed in the domain setting. Then, I would go to a command prompt and clear the dns cache; "ipconfig /flushdns & ipconfig /registerdns".

    Also, if you type ipconfig /all from a command prompt, what domain does it show where it says Connection specific DNS suffix?
     
  3. rumbleON

    rumbleON Thread Starter

    Joined:
    Jan 24, 2007
    Messages:
    7
    Ok flushed and reconfigured ok, didn't look at conn till after and it says the name is home
     
  4. rumbleON

    rumbleON Thread Starter

    Joined:
    Jan 24, 2007
    Messages:
    7
    Just typed "g2.armygrade.com" into browser and got my router control panel again. AAArrrrgggggghhhhhhhhhh!!!!!!!!!!!

    Verizon says they don't know anything but not to worry---when things are weird I worry. I have no valuble info in system but still don't like this.

    Think I may contact IANA and ask how someone could register this IP to a private domain.
     
  5. Jedi_Master

    Jedi_Master

    Joined:
    Mar 12, 2002
    Messages:
    5,520
    Don't feel bad, when I type in that address it puts me into my router too :D...

    Looks like someone has registered a domain g2.armygrade.com with the wrong address...
     
  6. rumbleON

    rumbleON Thread Starter

    Joined:
    Jan 24, 2007
    Messages:
    7
    OK...I guess it's nothing nefarious but it sure doesn't make any sense. Anyone in charge of registering domains would surely know that IP is in a block of reserved numbers.

    Thanks to those that answered this post.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/538331

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice