Folder AVG Forums » Archive » Archive » AVG Home » AVG 2011 » Hijacked Wireless Connection Win 7
March 11, 2012 00:01 Hijacked Wireless Connection Win 7 #195126
Reply with Quote | Quick Reply | Top
Rick_1234

Avatar

Novice
Join Date: 10.3.2012
Posts: 4
System:
Windows 7 Home Premium - fully updated with Windows Update
AVG 2011 10.0.1424 - paid version - db version 2113/4844
previously installed AVG 2010 ( a few years back)

Network:
This system wirelessly connects to a D-Link DIR-615 router.
The D-Link is connected to NetGear DM111PSP DSL Modem.


Symptoms:
The wireless Connection on system is named net_air.
A new Wireless Connected named net_air 2 appeared and became the default network connection.
When opening Internet Explorer 9.0.8117.16421 - regardless of web url entered I am redirected to that url/Check_Connected.htm.
This page looks like a NetGear Wireless Adapater Setup Wizard for a NetGear WNCE2001.
There is no Netgear wireless adapter on this system. It uses a Belkin.
If you follow the "wizard" it wants you to pick your access point and fill in the security details (I haven't done that).

IPConfig shows an incorrect IP address for net_air. The IP address is 192.168.1.101, default gateway 192.168.1.251. A valid IP for net_air would be 192.168.0.xxx.
If you ping any system or url it replies with the same 192.168.1.251 address regardless what you are pinging.

I also noticed that AVG is not running in the notification area after booting.


What I've tried:
By disabling the wireless adapter I can go into "Merge and Delete Network Locations" and delete net_air 2. However, after re-booting net_air 2 re-appears. I also tried this in Safe Mode w/ Networking and net_air 2 re-appeared after re-booting.
I've gone back two restore points. The first was probably from the same day this issue started. The second was from 3 days earlier. No difference, same problems.
I copied gmer.exe to the system and tried to run the AutoStart scan. It did not do or report anything.
I ran the Rootkit scan with gmer.exe (rennamed). It did report a couple of entries. The scan is attached.
I also ran HiJackThis and have attached that log if it is helpful.
I installed and ran MalwareBytes but it reported no problems.
Besides IE, I installed FireFox just to test and have the same issue when opening any URL.

I manually started AVG and ran a full scan. It found a few things in the recycle bin and in windows mail. I've attached the log. After AVG fixed these issues I once again went into the networking and disabled the wireless adapter and removed net_air 2. While shutting down the system BSOD. I rebooted and the system "detected" the Belkin wireless USB adapter and created a new network adapter config for it. Now there are no existing connections - both net_air and net_air 2 are gone. Since there are no network connections now my only choice is to create a new network.
Also, AVG is now in the system area after booting.
Opening IE takes me to a unable to display web-page (avg since link scanning is on).
I then ran a full scan with AVG Rescue CD and if found some issues but they all looked like they were already in avg.

I'm reluctant to create a new network connection until I am comfortable the problem is really resolved. This system is used for on-line banking, etc. If I can't be 100% sure the virus is gone I think I need to re-format and re-install.

This is my wife's system and she believes the problem started not too long after she was going through her messages on Facebook.

Any help would be great. I'm just about out of ideas.

Thanks,
Rick
March 11, 2012 01:40 Re: Hijacked Wireless Connection Win 7 #195133
Reply with Quote | Quick Reply | Top
Rick_1234

Avatar

Novice
Join Date: 10.3.2012
Posts: 4
here is the gmer rootkit scan after running the AVG rescue CD and all of the things below.
March 12, 2012 12:07 Re: Hijacked Wireless Connection Win 7 #195184
Reply with Quote | Quick Reply | Top
nemethste

Avatar

Administrator
Join Date: 1.11.2011
Posts: 1730
Hello Rick_1234,

Analysis of the scan results does not indicate that your computer is infected.

Is this issue with redirecting occurring also in another browser?

Resetting your proxy configuration may also help to resolve the issue.

Should the system crashes again, please provide us with content of C:\Windows\Minidump folder.

You may also set correct IPs manually and see whether issue persists.

Thank you.




___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us
March 12, 2012 17:05 Re: Hijacked Wireless Connection Win 7 #195208
Reply with Quote | Quick Reply | Top
Rick_1234

Avatar

Novice
Join Date: 10.3.2012
Posts: 4
Thanks for your response.

Something is going on and it is spreading.
A second wireless laptop is now showing the same issue.
The original system with the problem was booting clean on Sat. after I did all of the things in my original post. However, this morning when I booted it both the net_air and net_air 2 connections are back and net_air 2 is the one trying to connect.

Additionally, I have two XP Virtual Machines running on a different host computer that is wired, not wireless. After re-booting the VMs this morning they are both connecting to 192.168.1.xxx instead of 192.168.0.xxx and go to the redirected NetGear Wireless SetupWizard when you open a browser. There is no wireless connector in the VM setup or on the host system It is all wired.

I checked the proxy settings in the browsers and they are set to automatic.

Most of the system have saved credentials so they can access the shares of the other system (probably not a good idea). At this point the only system which does show the problem is the main host destktop system. I'm afraid to reboot it.

Any other ideas?

Rick

EDIT.. additional info.. Forgot to mention in my post that a AVG full scan and anti-root kit scan on the XP virtual machine came back clean.
March 12, 2012 22:41 Re: Hijacked Wireless Connection Win 7 #195237
Reply with Quote | Quick Reply | Top
Rick_1234

Avatar

Novice
Join Date: 10.3.2012
Posts: 4
Update..

This appears to have been an attach from outside the network.
I had an IT pro come over and we the systems were attaching to the wrong DHCP server. Putting that MAC in my routers blocked list fixed the problem. I upgrade my security to WPA2. Hopefully that takes care of it.

Rick
March 13, 2012 08:03 Re: Hijacked Wireless Connection Win 7 #195251
Reply with Quote | Quick Reply | Top
nemethste

Avatar

Administrator
Join Date: 1.11.2011
Posts: 1730
Hello Rick_1234,

We are glad to hear that the issue had been resolved.

Having WEP encryption on wifi which is easy to hack (even some android phones can do that now) may be serious security threat nowadays, but here in AVG we must always suspect infection first, which is also able to cause described issue.

Thank you.

___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us