128 replies to this topic

[Satchfan]

Hi macdoo

Before trying to solve the network problem, I’d be happier if we could eliminate the possibility of your computer being infected.

I’m going to ask someone nearer your time zone to take over but meanwhile I’d like to try and get aswMBR to run.

Download/run Rkill:

Please download Rkill from one of the following links and save to your Desktop:

Link One
Link Two
Link Three
Link Four

• Double click on Rkill.
• A command window will open then disappear upon completion, this is normal.
• Please leave Rkill on the Desktop until otherwise advised.

Note: If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by the rogue software which attempts to terminate tools that try to remove it. If you see such a warning, leave the warning on the screen and then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that Rkill can perform its routine.

You may have to make repeated attempts to use Rkill several times before it will run as some malware variants try to block it.

You'll be able to tell when rkill has done its job when your desktop (explorer.exe) cycles off and then on again.

Do NOT rerboot and try running aswMBR again

===================================================

Download the GMER Rootkit Scanner


Download GMER Rootkit Scanner from here or here.

• extract the contents of the zipped file to desktop.
• double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• if it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO.
  
  
  Click the image to enlarge it
  
• in the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• then click the Scan button & wait for it to finish.
• once done, click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Satchfan

[macdoo]

aswMBR scan completed but AVAST had an engine error and didn't update list.

Edited by macdoo, 27 February 2012 - 01:15 PM.

[Satchfan]

Itr doesn't matter about the update, please send the log which should be on your desktop.

Could you also send the result of the Gmer scan.

[macdoo]

Ran GMER and comp shut down after ten min. Tried again and it had been running for two hours when I walked away and came back to the computer off. aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software Run date: 2012-02-27 13:41:56 ----------------------------- 13:41:56.366 OS Version: Windows 5.1.2600 Service Pack 3 13:41:56.366 Number of processors: 2 586 0x4802 13:41:56.366 ComputerName: HEIDI UserName: 13:41:57.225 Initialize success 13:42:18.257 AVAST engine download error: 0 13:42:30.944 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000008c 13:42:30.960 Disk 0 Vendor: Size: 0MB BusType: 0 13:42:30.991 Disk 0 MBR read successfully 13:42:30.991 Disk 0 MBR scan 13:42:31.007 Disk 0 unknown MBR code 13:42:31.022 Disk 0 MBR hidden 13:42:31.038 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 101378 MB offset 63 13:42:31.085 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 12056 MB offset 207640125 13:42:31.116 Disk 0 Partition 3 00 D7 NTFS 1027 MB offset 232332030 13:42:31.178 Disk 0 scanning C:\WINDOWS\system32\drivers 13:42:40.335 Service scanning 13:42:41.507 Modules scanning 13:42:47.397 Disk 0 trace - called modules: 13:42:47.444 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys 13:42:47.460 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85fa2ab8] 13:42:47.491 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\0000008d[0x85fa1ac0] 13:42:47.522 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\0000008c[0x85fe6030] 13:42:47.538 Scan finished successfully 13:42:59.585 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Heidi Seitz\Desktop\MBR.dat" 13:42:59.616 The log file has been saved successfully to "C:\Documents and Settings\Heidi Seitz\Desktop\aswMBR.txt"

[oldman960]

Hi macdoo,

Satchfan asked that I have a peek at this. I'm a bit closer in time zones, I'm on the left side of N.A.

Since all computers seem to be effected and the problem can be resolved by connecting to a different modem this appears to be a router/modem hijacking. Please be patient we may be revisiting/redoing some steps. Remember I'm playing catchup.

Is your modem and router one unit or are they separate? What is the brand and model number of it/them?

Let's try this for a quick look to see if we can resolve this temporarily. If this works we will work on a permament fix. note: this fix will only apply to the computer we are working on.

• Go to Start > Control Panel, and choose Network Connections.
• Right click on your default connection, usually Local Area Connection for cable and DSL or your wireless connection if we are working on a wireless problem and choose Properties.
• Click on the Internet Protocol (TCP/IP) item.
• Click Properties
  
  • In the lower box, click the box beside Use the following DNS server addresses
  • In the first box type 208.67.222.222
  • in the second box type 208.67.220.220
• Click OK

Next

OTL should run, I toned the fix down a bit.

Run OTL

• double click on the icon to run it.
• copy/paste ALL the following text written inside the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

  :Services
  
  :OTL
  FF - prefs.js..browser.search.defaultenginename: "iMesh Web Search"
  FF - prefs.js..browser.search.order.1: "iMesh Web Search"
  
  :Files
  ipconfig /flushdns /c

  
  
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Please post the OTL fix log.

Try a couple of searches. Any better?

[macdoo]

OMG you fixed it. Even if only temporary. ONE post, I cant believe it this has been going on sooooo long OMG. My router and modem are one I beleive. It is a ACTIONTEC MI424WR supplied by my internet and cable provided Verizon. Here is OTL

========== SERVICES/DRIVERS ==========
========== OTL ==========
Prefs.js: "iMesh Web Search" removed from browser.search.defaultenginename
Prefs.js: "iMesh Web Search" removed from browser.search.order.1
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Heidi Seitz\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Heidi Seitz\Desktop\cmd.txt deleted successfully.

OTL by OldTimer - Version 3.2.33.1 log created on 02282012_065858

[oldman960]

Hi macdoo,

Ok let's see if we can get the router cleaned up. Please follow the instructions HERE to reset it back to factory settings.

Post back when you have finished and we'll make some changes and see if worked.

Thanks

[macdoo]

OK. I reset the router and the temporary fix is broken. I have not made any changes to the router since we've had it. Everything is default Verizon settings.

[oldman960]

Hi macdoo,

• Go to Start > Control Panel, and choose Network Connections.
• Right click on your default connection, usually Local Area Connection for cable and DSL or the wireless connection if that is what we are working on and choose Properties.
• Click on the Internet Protocol (TCP/IP) item.
• Click Properties
• In the lower box, click the box beside Obtain DNS server addresses automatically
• Click OK

Next

• Now go to Start > Run > type: cmd
• Press OK or Hit Enter.
• At the command prompt, type or copy/paste: cmd
• Hit Enter.
• In the command window, type, NSLOOKUP
• hit enter
• Please post the results

To copy the results

• right click in the black window and click select all
• click the tiny c:\ in the top corner
• highlight edit and click copy

[macdoo]

Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Heidi Seitz>cmd Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Heidi Seitz>NSLOOKUP Default Server: Wireless_Broadband_Router.home Address: 192.168.1.1 >

[oldman960]

Hi

Looks like it may have worked. Let's take a better look

• Now go to Start > Run > type: cmd
• Press OK or Hit Enter.
• In the command window, type, ipconfig /all
• hit enter
• Please post the results

[macdoo]

Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Heidi Seitz>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : Heidi Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : home Ethernet adapter Local Area Connection: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : NVIDIA nForce Networking Controller Physical Address. . . . . . . . . : 00-16-D3-14-61-33 Ethernet adapter Wireless Network Connection 2: Connection-specific DNS Suffix . : home Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN Physical Address. . . . . . . . . : 00-14-A5-CF-E5-AA Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.5 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DNS Servers . . . . . . . . . . . : 192.168.1.1 68.238.112.12 Lease Obtained. . . . . . . . . . : Tuesday, February 28, 2012 5:31:13 P M Lease Expires . . . . . . . . . . : Wednesday, February 29, 2012 5:31:13 PM C:\Documents and Settings\Heidi Seitz>

[macdoo]

be back in about an hour. Have family to tend to.

[oldman960]

Hi macdoo, Looks good. Have you tried any searches?

[macdoo]

Wow. So nice to see g-mail. Have we fixed ALL 5 of my computers? Is this permanant? Most important question - How did this happen and how can I prevent it from happening again? Ok i checked all the computers and yes they are all working. You are amazing. I reset that router many times. Please explain how you fixed this, how it happened in the first place, and how to prevent it.

Edited by macdoo, 28 February 2012 - 06:38 PM.