BleepingComputer.com: XP Security Center, redirecting, now infected router and network PCs

So this is the biggest type of malware and spyware that I have ever experienced to date. I have seen my fair share of malware and viruses, but most were easily removed within an hour or so and never came back. My troubles, which started yesterday, are much more extensive. In this house I have a NetGear WGR614v7 router updated to the latest firmware, which is 2.0.30. I have one laptop and one desktop running via wireless, one wireless printer, and a hardwired desktop computer on this network. I have my wireless network secured with both WPA TKIP and also a MAC address access list. The router password is also changed from that of the default. Initially my wired desktop was infected with the XP Security Center virus. I was able to remove with malwarebytes and spybot, which both found a lot of entries. I scanned so many times the past two days that I am absoultely exhausted. A few blue screens of death occured along the way, and I was in and out of safe mode scanning both in regular windows and also safe mode. I believe XP security center is gone, however, alot of my Internet Explorer activities are being redirected to spam! There is nothing that malwarebytes or spybot picks up on anymore. I have run combofix once entirely and it did find some stuff and apparently fixed it. The first time I ran it, it needed to restart because it found some rootkits, and it did, but when it began to run on the startup the computer was timing down to restart itself because services.msc had failed or something. The second time around, combofix was able to run entirely. I tried to run it a second time later on but gave up when I had the same error occur with the services.msc and the computer restarting while combofix was trying to run.

So today, everything was well, I ran spyware scans on both of the other wireless computers yesterday and nothing was found, just for good measure.

Today, after I ran some more scans and changed some settings in my router and then saved, the internet was disabled on the two wireless machines and an error (red box with police officer holding a sign) stating that "The page does not support your version of browser. Please update your software." There is also a link called "browser update" with a file called "update.exe" which can pretty much be assumed to be a virus. I have NEVER clicked that, but that is what is there. I did a hard reset of the router back to factory defaults and all was well, until about 30 minutes later when the same crap started happening. I brought over my flash drive and tried to run combofix on the wireless laptop but it got a blue screen of death for some IRQ error something. When restarted the internet worked, and I am posting this via the wireless laptop because my hardwired desktop is such a pain in the arse, I cannot even navigate to this website because it redirects me all over the place.

I scanned my flash drives which I were using to transfer the anti malware and spyware programs, and it found 2 infected files on one flash drive and 1 infected file on the other.

What can I do? Nothing is really being found by malwarebytes, spybot, and I am also using Symantec Corporate Edition antivirus which seems to be pretty worthless as it doesn't find anything, and on my desktop, keeps saying that auto-protect is disabled. IT also started giving me an error at startup about virus definitions being missing.

I should also note that upon removal of that XP Security Center virus on my hardwired machine, it made my start menu ENTIRELY EMPTY and made alot of my desktop icons go away, while about a third of them were still there but were changed to being "hidden", also alot of stuff in "c:\documents and settings" were also set to being hidden.

I have been working on this nearly all day today, Friday, what a great Friday! And a good portion of Thursday afternoon through the night.....this is definitely a difficult slew of viruses which looks to have spread through the network, I don't really know WHAT is going on but it isn't good!

This one is vicious and I think new. My daughter got it last night on two computers within an hour from either gmail or facebook and without clicking on any ads.

The first one was an XP machine and I still haven't been able to fix it. It has blocked all internet traffic and Malware from updating and Spybot from even installing. I can't use any system tools such as restore or search. Just get blank boxes if I can get them to open. I was able to early in the battle to attempt a system restore back a few days but it didn't work. Don't know what to do. Tried Rkill and still couldn't get around it.

The 2nd computer was a new Netbook running Windows 7. I had more success with that one. I just did a system restore to an hour earlier and it seems to have solved the problem.

The only other reference on-line to this browser update is from somebody who got the problem last night on their Safari Browser on their Iphone!!!

Hoping somebody can find a solution soon.

I am also experiencing this infection. It is cutting off all internet connections and even an updated Malwarebytes / McAfee are not finding a thing. Same symptoms here. "The page does not support your version of browser. Please update your software" and then there is a "Browser update" link. There are no other popups, just this box that shows up whenever I try to access the internet. This is happening on all user accounts on this machine. The hosts file is not changed on this device, and the internet says "connected". Nothing appears to be running that is malicious in the background, and nothing appears to be malicious in the msconfig "startup" tab.

I'm trying everything that I can think of (I'm an IT support professional), but so far I've thrown everything at it that I can think of and I can't get any connectivity from this device. Safe mode does not provide any help. I'm stuck in the water here, because I cannot reimage this device and reload Windows at this time due to the nature of this computer.

Any suggestions?

I have been getting Blue Screens of Death on both my hardwired desktop running Windows XP and on my wireless laptop running Windows Vista. The other wireless desktop running Windows XP has not got a Blue Screen of Death.

Scans always show up nothing. I am on my hardwired desktop now. It was difficult navigating here to bleeping computer because of the constant redirects.

And I know the router is also infected because when my Android 2.2 phone was connected to my WIFI the internet was also blocked on it showing that screen about the web site not being compatible with my version of browser. Disabled WIFI on my phone and the internet worked again. This is just for WIRELESS connections though, my hardwired desktop has never seen that problem. However, all of the wireless connections are back to normal now, the internet is not being blocked anymore, although who knows it could come back, it did yesterday after I thought it was gone.

My Symantec on this desktop also just warned me that auto-protect was disabled, even though it is clearly still checked. It also says the virus definitions are up to date, even though they are dated May 25th. Every time I start up this system it gives me an error about Missing Virus Definitions. This only happens on my hardwired desktop, not the wireless laptop or wireless desktop.

I will post screenshots of both of the errors I have been seeing below.

This is interesting. Whenever I try to ping a website or an internal server, it resolves the IP to 188.229.88.7 .

EDIT: When visited on a non-infected computer, that pops up the same dreaded message. Something changed the computer to point all internet/intranet traffic to that IP address.

This post has been edited by cjscharrer: 28 May 2011 - 11:15 AM

Virus definitions error. I get this every time at start up. It shows up twice, once after you clear the first message, then it comes back again, then once you close the second one it doesn't come back until the next startup.



Here is the message that any of the wireless connections in my home were getting, including a desktop running Windows XP, a laptop running Windows Vista, and my Android 2.2 phone. If you get this DO NOT CLICK UPDATE, I am guessing that "update.exe" is another virus all in itself. I haven't tested it out to see what it is and I really do not want to, so be safe and don't click or download the file! And by the way, it will say whatever website you try to go to is not compatible, in this case it is just saying facebook because I tried to go to facebook, but it could be Yahoo, Google, AOL.....etc etc etc, whatever site you try to go to.

UPDATE: I have PARTIALLY cleared this device by typing "netsh int ip reset c:\resetlog.txt" in a command window and running that command. This clears and resets the TCP/IP protocols. However, some sites are still redirected (such as google.com and some other internal sites). I will update with more information as I find it.

EDIT: I also ran a "ipconfig /flushdns" from the command line, ran another netsh command, and now the computer appears to be acting normal. Only time will tell if it reappears or if it appears under other user's profiles.

This post has been edited by cjscharrer: 28 May 2011 - 11:27 AM

What about the router? Do you think my router is really infected or was it just my hardwired PC feeding the malicious stuff through the router?

Also I was able to successfully run "ipconfig /flushdns" but I could not get "netsh int ip reset c:\resetlog.txt" to work. Any idea?

There is a lot going on in this thread. So I'm going to do my best to address everything.

@Blaine B.

How many machines are you experiencing issues with? Are you experiencing redirects in all web browsers?

Please check these settings to ensure that they are set properly:

Check - Reset Proxy settings
Malware can alter your proxy settings. If altered, it can affect your ability to browse or download tools required for disinfection.

Internet Explorer Proxy settings:

• Open Internet Explorer > click Tools > Internet Options > Connections tab.
  
• Click the LAN Settings... button and uncheck "Use a proxy server for your LAN"
  or change the settings to the proxy you normally use if you previously reconfigured it.
  
• Remove any unknown addresses from the Address box. 80 is the default Port so it does not have to be changed.
  
• Click OK... then click OK again.
  
• Close Internet Explorer and -restart- the computer.
  
• An example of how to do this with screenshots can be found in steps 3-7 under the section Automated Removal Instructions... in this guide.

Firefox Proxy settings:

• Open Firefox, click Tools > Options > Advanced and click the Network Tab.
  
• Under the Connection section click on the Settings... button.
  
• Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.
  
• Click OK... then click OK again.
  
• Close Firefox and -restart- the computer.

For other browsers, please refer to How to configure browser proxy settings.


NEXT:

Quote

Are you still experiencing this issue?

NEXT:

Quote

If you're going to be transferring files/tools from an infected computer to a clean computer you should download and run this tool to protect your flash drives;

Running Flash Disinfector
Download Flash_Disinfector.exe by sUBs from HERE and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  
• Wait until it has finished scanning and then exit the program.
  
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



NEXT:

Quote

We can fix this by running a tool.

Please download UnHide.exe by Grinler.

It will unhide folders/files that were set to be hidden by the infection you had.



NEXT:


Please summarize what issues you are currently experiencing with your computer(s).



____________________________________________________



@cjscharrer,

What issues are you currently experiencing with your computer?

Blaine B., on 28 May 2011 - 11:32 AM, said:

It was not the router for me. It looks like, from previous posts on other sites, that there may have been a popular site that was infected for a short period of time with this... I'm not sure what it is actually... and this may have infected multiple computers on your network. My case was an isolated incident on a very controlled large area network, however, so our setups are a bit different. At any rate, running the fix on each printer should solve the issue. If it does not, or it comes back, I suggest resetting the router back to factory defaults and re-securing the network.

Blaine B., on 28 May 2011 - 11:34 AM, said:

Sorry, don't use quotes around the netsh command and see if that works.

@ SweetTech

I ran "flash disinfector" as per your recommendation. Before clicking OK, I inserted both of my USB flash drives into the two ports on the front of my case. Is it ok to do them both at once? I will have to run "flash disinfector" again and then mount my phone to Windows to make sure it stays clean as well.

I am also running the "un-hide" application right now, but I believe I cleared most of that up manually. The hidden part was not so difficult, as it was recompiling all of the icons and the start menu which were mostly all deleted. Luckily I had a backup of "documents and settings" on my external harddrive just for occasions like these. I knew it would come in handy one day!

Additionally, no proxy server was enabled on any browser of the 3 computers on my home network. That is the thing I checked first. I have had "attempted viruses" before where the internet would be disabled on a machine, and then I would check the proxy to see it had been somehow enabled, but nothing was being redirected anywhere, just no internet connectivity and a blank internet explorer page. Internet explorer is also the only browser I use, I do not have any other browsers installed on any machine I use. I know I probably should......but I have not moved to another browser just yet.

@ cjscharrer & SweetTech

The wireless seems to be working fine now, since last night, just all of a sudden it went from giving me the "red box error" to allowing internet on the devices connected via wireless. As I said that error box has NEVER showed up on my hardwired system, ONLY on anything using the internet via WIRELESS.

I know you mentioned it was probably not the router, but rather a popular website which infected everything all at once. However I really did not use the internet on my phone. I just went to the internet to test it out when the other two wireless connections were skewed, and sure enough, I was receiving the same error message on my phone. I am not sure which browser Android uses by default under the "Internet" icon but it is whatever the phone came with, I did not download any other browsers via the market. Which made me think that it was perhaps the router OR my wired desktop pushing this malicious software through the router into the other systems.....

Also I was not including the " " with your command prompt codes. The first code simply would not work. I get an error sayin the entry point cannot be found. BUT, ipconfig /flushdns did work successfully.

As far as being redirected? I am not really sure. I will have to keep browsing and see if it continues to happen or not.

Thanks for all of the help on this Saturday as well, to all of you!

@Blaine B.

Quote

It was fine that you plugged them both when running Flash Disinfector.

Well, the redirections are still taking place. For instance I tried to go download the newer version of Unlocker and it kept redirecting me to Yellow Pages listing places in Chicagoland for transmission repair.

Also, after doing the ipconfig /flushdns command, I was able to download updated virus definitions for Symantec. However, it still says the virus definitions are from May 25th. Dunno!

Also I am not seeing that file on my flash drives that was supposed to be placed by the flash disinfector program. I do have Explorer set to show hidden files and folders too.

This post has been edited by Blaine B.: 28 May 2011 - 12:37 PM

@Blaine B.

Quote

It's a hidden folder, so if you do not have the option to Show Hidden Files & Folders, it won't be seen.

Please also do this for me. I'd like to get an export of a registry key from you.

But before I do that, I want you to create a back-up of your registry:

Back-Up Registry
First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:

regedit /e c:\registrybackup.reg

Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.


Registry Export
I need some more information on a key in your registry. Please do the following:
Press Start => Run, Copy/Paste the command below into the run dialog box and press Ok:

reg export "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" "%userprofile%\desktop\look.txt"

You should see a new file on your Desktop named look.txt. Please double click on the file to open it, and then attach the contents of look.txt in this thread.

This post has been edited by SweetTech: 28 May 2011 - 12:53 PM