128 replies to this topic

[oldman960]

Hi macdoo,

All the computers should be fine now unless they are infected. The problem was the modem DNS Server was hijacked, we have reset it to the correct one. This could have happened from an infected computer, perhaps the one we are working on. It could have also came from an outside computer. Since all modems of the same brand and model have the same default password it is possible that someone "borrowed" your connection if you are using the default password. I suggest you change the password from default to one of your choosing.

Let's see where we are.

When you ran aswMBR there should have been a file named MBR.dat placed on your desktop. Please zip it and attach it to your next reply.



Go to add/remove programs and uninstall the following

J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 4


Do not uninstall Java™ 6 Update 26


Next

Click your start button, open Control panel.

• Locate the Java icon (it looks like a coffee cup)
• double click it to open it
• click the Update tab
• Click update now

After the java is updated, reboot your computer if not prompted to.


Next, clear the java cache

To clear the Java Plug-in cache:

• Click Start > Control Panel.
• Double-click the Java icon in the control panel.
• On the General tab, Click Settings under Temporary Internet Files.
• On the Temporary Files Settings screen, Click Delete Files.
• check all boxes
• Click OK

Next open OTL

• check the box beside scan all users
• click the quick scan button

Please post back with

• mbr.zip (attached)
• OTL.txt

[macdoo]

I have a note pad document on desktop that is a aswMBR.txt is that the same as the one you are asking for?

[oldman960]

Hi macdoo,

No that's the log from aswMBR. The log indicates that the file was saved to the desktop.

13:42:59.585 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Heidi Seitz\Desktop\MBR.dat"

Is there any other files named mbr besides the mbr.txt?

[macdoo]

Ok I found everything.

Attached Files

•  MBR.zip   597bytes   180 downloads
•  OTL.Txt   96.24KB   222 downloads

[oldman960]

Hi macdoo,

Any issues with any of the computer?

Let's see if this temporary file cleaner is more agreeable with your computer.

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.

• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Note your computer may boot a little slower the first couple of times.



Next, Double click on OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
• Do Not copy the word CODE
• please note the fix starts with the :

:Services

:OTL
[2010/09/02 03:09:28 | 000,002,486 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\iMeshWebSearch.xml
CHR - default_search_provider: search_url = http://search.imesh.com/web?src=crb&systemid=1&q={searchTerms}
[2011/02/21 17:08:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heidi Seitz\Application Data\imeshbandmltbpi

Then click the Run Fix button at the top

• Let the program run unhindered
• Please save the resulting log to be posted in your next reply.

Please post the OTL fix log.



One more scan to check for stragglers.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Go here to run an online scannner from
ESET

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
• Click Scan.
• Wait for the scan to finish.
• When the scan completes, click List of found threats
• click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
• Include the contents of this report in your next reply
  
  Note - when ESET doesn't find any threats, no report will be created.
  
• Push the back button.
• Push Finish
• Re-enable your Antivirus software.

Please post back with

• OTL fix log
• ESET log if there is one

Thanks

[macdoo]

your link installed something called PC cleaner. Is that the correct item? Something is wrong. PCCLEANER scanned computer automatically. But, I don't see "main". I Can't follow your instructions. I think this is a different cleaner than ATF even tho it said ATF on the webpage.

Edited by macdoo, 28 February 2012 - 08:34 PM.

[macdoo]

========== SERVICES/DRIVERS ========== ========== OTL ========== C:\Program Files\Mozilla Firefox\searchplugins\iMeshWebSearch.xml moved successfully. Unable to fix default_search_provider items. C:\Documents and Settings\Heidi Seitz\Application Data\imeshbandmltbpi folder moved successfully. OTL by OldTimer - Version 3.2.33.1 log created on 02282012_214609

[oldman960]

Hi macdoo, The download link is on the page at Major Geeks. I just tried it and I ended up with ATF.exe. When you click on the link the page will change. Do not click anything else, the download should start.

[macdoo]

OK I found it and all went well. I assume the OTL went well too. The ESET seems to be stuck on norton360. Norton is disabled. The file number isn't changing and stuck on 15%. Maybe I'm just impatient. Yah I'm inpatient. It started again lol.

Edited by macdoo, 28 February 2012 - 09:38 PM.

[oldman960]

Hi macdoo, Otl was ok. Just be patient. Depending on what the scanner is scanning it may look like it stalled. Computers have a lot of compressed files and it takes time for the scanner to open, scan and close them.

[macdoo]

ESET found no threats

[oldman960]

Hi macdoo,

Looks good then.

You may want to remove iMesh as your search engine in Chrome. and set another as default.

1.Click the wrench icon on the browser toolbar.
2.Select Options.
3.Click the Basics tab and find the "Search" section.
4.Select the search engine you want to use from the menu. If the search engine you want to use doesn't appear in the menu, click Manage search engines.
5.In the Search Engines dialog that appears, select the search engine that you'd like to use from the list.
6.Click the Make Default button that appears in the row.

You can also remove imesh by clicking on it and clicking Remove.


You can leave the DNS Servers we configured your computer to use while we were cleaning the router. Your computer will not use them as we have now configured it to use the DNS Servers on the modem.


We'll clean up the tools and send you on your way.

From your desktop, please delete, if present

• any notepads/logs that we created
• DDS.scr
• aswMBR.exe
• mbr.dat
• mbr.zip
• FSS.exe
• Rogue Killer
• TDSSKiller.zip
• TDSSKiller.exe
• MBRCheck.exe
• SystemLook
• Rkill
• GMER

Next

Click the Start button, click Run. [Vista users, go Start>"Start search"] Copy and paste the following line into the run box and click OK
Combofix /uninstall


Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.


I suggest you keep MBAM. Keep it updated and use it regularly.

You can keep ATF also.


Updates and upgrades

You have an older version of Adobe Reader. You can download the current version HERE

You may want to consider Foxit Reader instead. It may be a bit lighter on resources. If you choose to use Foxit, delcine the Foxit Toolbar when asked duing the install.

Visit their support forum
Foxit Forum

In either case you should uninstall Adobe Reader 9.4.1 first. Be sure to move any PDF documents to another folder first though.



Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall.

I suggest either for a resident antispyware program.

Windows Defender
OR
Winpatrol


You should also use Spyware Blaster to help immunize your computer.

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.


-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.

• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.


- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis


- Make sure you have reset Automatic Updates to your chosen optionClick your start button > Control Panel > System > Automatic Updates tab


- Keep your antivirus program updated, as well as any other security programs you have.


-More tips and programs can be found HERE


Please post back if you have any problems.

Take care

[macdoo]

Huston..... We have a problem. Everything was great until I just woke from a nap. Back to cannot load g-mail home page and google search redirects. No one has "Borrowed" my connection. I'm pretty sure I know who is infected. My brother-in-law lives next door and is a single father to a 13 year old boy with free will on a computer. They use my wireless for internet. Need I say more. The big question is how to fix his computer. I don't even go inside his house lol. I'd welcome any ideas. I think he has norton 360 but disabled it cuz it slowed the computer so much. Would enableing it and running a deep scan help this situation? Sorry all our work has been undone.

[oldman960]

Hi macdoo, You can try to scan the suspected computer with the onboard antivirus but you should get access to the computer or have them come here. Without any logs we don't know what it is infected with. As long as that computer is connected to your modem the problem will remain.

[macdoo]

I will try to get the computer and contact you from it so you can check it out.