Redirect from Web site - National Rail

[charlie muffin]

When i go to check train details through National Rail i get re-directed with the following message;
Sorry, we couldn't find http://req.connect.wunderloop.net/RQ/143/687/509/if?ord. Here are some related websites:

Can someone tell me what this means? Am i infected? The last time i visited this site i had a virus which i think we managed to clear up with some patient advice from one of the crew.

 

[DelJo63]

please post the full url you used when the error occurred.

Here in the U.S., the one you've shown doesn't help (me at lease) to much

 

[charlie muffin]

re-direct from National Rail

Apologies,
When i access the address below i encounter the Security Question pop up - "you are about to view pages over a secure connection". At some point from then on, i get the re-direct message.
Sometimes i get to enter some station details but i get redirected virtually straight away. I've just tried again and i got to choose a leaving and destination and clicked search before it re-routed me.

http://www.nationalrail.co.uk/

the URL i posted appears on a Sony Search Page - i don't ever see one of these but i am operating from a Sony Viao. (I'll be updating my system profile later today if that may be relevant.

 

[DelJo63]

hum; starting with http://www.nationalrail.co.uk/

set From, To,
search​

then arrives upon
http://ojp.nationalrail.co.uk/en/pj/jp

which is the same domain, just a different server or server alias

this is very typical operation.

you reported a redirection to http://req.connect.wunderloop.net/RQ...7/509/if%3Ford.
which is very ATYPICALL

is this 100% repeatable or just periodic?

 

[charlie muffin]

re-direct from National Rail

Yeah, for this site, it is 100% repeatable.
I've also updated my system specs if that helps any.

 

[charlie muffin]

re-direct from National Rail2

need to add, the only slight inconsistency is how long it takes to re-direct me.
I don't always follow the path of adding details and searching. The re-direct sometimes whisks me away before i get chance to enter any details.

 

[DelJo63]

ok, it looks as if you've been hijacked.

see this and start the process

 

[charlie muffin]

re-direct from National Rail

http://www.google.co.uk/hws/sony/af...RQ/143/687/511/if?ord=12345&EAS=cu=511;cre=mu

This may be a mistake on my part but i get re-directed to the URL above which is a page that begins with "Sorry, we couldn't find http://req.connect.wunderloop.net/RQ/143/687/511/if?ord. Here are some related websites: " and a google type view of related links etc.

Am i making any sense?

 

[1Bruce]

Hi .
I am having exactly the same experience - I have MacAfee working, tried SpyWare Doctor and now trying Zone Alarms. I understand its a site that records and traces site interests but I have still to get rid of it!

 

[charlie muffin]

re-direct from National Rail

ok, cleansing results, by actions required.
i've already gone through these processes to remove some dodgy virus (see previous threads) so followed all steps before and retained all free stuff to keep safe.

1 - disabled Zone alarm etc.
2 - already running AVG and Zone Alarm - checked versions ok
3 - Online scanner - detected vulnerabilities and HTTP Cookies fixed
4 - version of HJT up to date and called Crusty so skipped 4 and 5
5 - as above
6 - same as HJT, 6,7,8 and 9 ensured hold latest versions
7 -
8 -
9 -
10 - followed the 3 tools download
11 - Panda Antirootkit - clean
12 - Combofix file attached
13 - dss - conflicting instructions here, the thread asks for the files to be attached (main and extra) however the last step clearly doesn't want any damn extra files. I've attached them, ignore if not appropriate.
14 - ran SS&D, Adware personal se and AVG Antispyware - AVG file attached
15 - ran HJT - file attached

tried accessing National Rail URL with same results.

 

[1Bruce]

Hi
Clearly we tried along same lines. One Wunderloop web page says ... have not enabled Javascript... Maybe National Rail want this information reported! Yahoo was the same. Anyone know of any other sites. Nearer to a solution?

 

[kritius]

dss - conflicting instructions here, the thread asks for the files to be attached (main and extra) however the last step clearly doesn't want any damn extra files

Please note: If you have any problems with Combofix, please do the following instead.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Its no big deal, just looking over your logs now, ill post back later.

teatimer
Please disable Teatimer as it may interfere with the fix.

First:

• Right click on Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

Second:

• Open Spybot S&D
• Click Mode, check Advanced Mode
• Go To Left Panel, Click Tools, then also in left panel, click Resident
• If your firewall raises a question, say OK
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your system for the changes to take effect.

This will be enabled when the system is clean

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
Will depend on what HJT interface you are using.
If yours opens with the Main Menu go to step 3 (untick "Show this window when I start HijackThis" to have HJT open with the scan window)
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Attach that here for me please.

Finally run HJT again now that teatimer has been disabled and post the log back here.

 

[charlie muffin]

re-direct from National Rail

files attached

 

[DelJo63]

GoogleDesktopDisplay.exe has been known in the past to allow backdoor entry to systems.
I know some statisfied users, but frankly, I wouldn't trust it.

I see you're running sqlservr.exe; This is a security exposure.
make sure it accepts ONLY connections from your local LAN.

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe"
unless you have a network printer ie one attached to the router with an IP address,
this service is of no value to you.

You might EDIT this file C:\WINDOWS\system32\tmp.reg
to determine what was added to your registry -- could be good or bad
(DO NOT OPEN; EDIT the file via right-click->edit)

 

[charlie muffin]

re-direct from National Rail

okay,
- removed googledesktopdisplay,
- removed bonjour,
- saved contents of tmp file (attached) - i haven't a clue what it means!
- need some help with the sqlservr.exe, how do i make sure it only accepts connections from local LAN?

 

[1Bruce]

I have been following the thread as i am having the same problem. I do not have the Google stuff mentioned and I am not sure if the other references refer to my system. I could not download the HijackThis software but do not know why. I have attached my main.txt and extra.txt to compare. I have picked up a few things in common which may help but I do not know their significants if at all. Comments?

C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe (although I appear to have loads of them)
C:\WINDOWS\system32\winlogon.exe

* O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
* O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
* O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
* O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (although this is a recent instal and I had my similar problem with yahoo before)
* O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
* O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
* O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
* O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
* O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
* O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
* O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
* O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe












*multiple svhost.exe

 

[DelJo63]

1Bruce; please create your own thread for your issues so as to not confuse
issues, diagnoses and suggestions. Thanks

 

[DelJo63]

- need some help with the sqlservr.exe, how do i make sure it only accepts connections from local LAN?

see this article point #7 TCP port 1433 and UDP port 1434.
The default rules on a firewall are to DENY, so initially there's nothing to do.
But after installing SqlServer, you need to be sure that TCP port 1433 and UDP port 1434 were not allowed from the Internet.

To operate correctly, the server systems must have these ports allowed and the
clients accessing the server must also.

You need to add a rule to all systems; you need your lan subnet addresses.
use run->cmd /k ipconfig
on the line IP Address there's an address shown as aaa.bbb.ccc.ddd
the subnet is the aaa.bbb.ccc portion without ddd

the firewall rule would look like

allow in/out tcp/udp dest-ip aaa.bbb.ccc.1-aaa.bbb.ccc.254 ports 1433-4134​

move this rule to point in the list of rules where the rule following is the first deny

 

[1Bruce]

JoBeard - happy to. Thought that as I am having the same problem as Charlie Muffin the comparison between running programmes would help clarify the one/ones carrying the problem - my mistake!

 

[charlie muffin]

re-direct from National Rail

ok jobeard, when i said help, i REALLY did mean help.
I've found the IP addresses / subnets using the run command, but applying the rule is rather more complex, i don't know where you are asking me to insert the rule.
i connect to the net via a NETWARE wireless broadband router. i don't even know if that comment is relevant.
How do i apply the rule? and where do i apply it?

PS - problem persists following changes made, will this rule make a difference or just protect me better?

 

[DelJo63]

PS - problem persists following changes made, will this rule make a difference or just protect me better?

rule will ensure that only local systems can access your SQL server

I've found the IP addresses / subnets using the run command, but applying the rule is rather more complex, i don't know where you are asking me to insert the rule.
How do i apply the rule? and where do i apply it?

rule goes into the firewall on the system running the sqlserver , not the router itself.
This will ensure that someone breaching your router will not get access to the server.
You need to open the firewall and look at the settings -- which firewall are you using?

 

[charlie muffin]

i don't have any special anti-virus or firewall products, just runnng ZoneAlarm and AVG Anti-Spyware.

 

[charlie muffin]

redirect from National Rail

Hi,

I've been working away for the last 2 days and unable to check progress but it appears there has not been any. Can someone give me an update with this thread please?

Thanks