Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Info On Online Protection Tool


  • Please log in to reply
6 replies to this topic

#1 Gaijin

Gaijin

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 31 March 2010 - 11:10 PM

I own a computer repair shop and have been very adept at removing viruses for many years. I have in the last week encountered 3 infections of "Online Protection Tool" that made me want to pull my hair out. I have also seen a few unresolved threads here at Bleeping computer regarding the same virus. As bleeping computer has helped me much in the past I thought I would pass along what I learned. Out of 3 infections, there were some common threads. As many know it is a DNS changer/redirecter which leads to the removal tool prompt which leads to the infection itself. For Googleing sake I will post the threat message here:

"Your browser is under the threat of infection. Windows requires your permission to install online protection tool.

Your browser is run in unsafe mode. Running the protection mode will help you to keep your computer safe. Staying at the suspicious website is unsafe mode my lead to the loss of personal data and computer breakage. To run the web browser in protected mode windows requires installing the certified antivirus scanner software and online protection tool."


All 3 infections I worked on had some common entries. They all set up a DNS Name server pointing to 3 static DNS entries: 93.188.166.105, another in the same range which I did not record, and 1.2.3.4

1 infection I cleaned easily with MBAM fully updated. The other two I cleaned the same and left site. I did get a call later from BOTH of them, saying it was still there, I had to go back out to site and found nothing. I was called back promptly and said it was still there. After many hours I was stunned to find the common thread beetween the two infections I could not clean. They both had the infamous for hacker friendly Linksys WRT54G!!! Believe it or not it set the same static DNS entries IN THE ROUTER ITSELF!!!
I was amazed at the ability of the code writers. You could format and it would still be there! I have until this moment only been a leech from bleeping computer, but now hope I can give something back with help from this tuff virus.

I am pretty sure if you just change the default password to log into the router you can prevent the change later on, but given how easy it is to flash the WRT54G I wouldnt put it past people to do the same that way.

Hopefully I don't get flamed for posting this here, but I was so happy to be rid of it it prompted me to post.

Tom Mills
Omega Computers

BC AdBot (Login to Remove)

 


#2 quik4life

quik4life

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 01 April 2010 - 02:31 PM

Thank you SO much for posting. I was tearing my head out as well. Even after formatting my hard drive and doing a fresh install of Windows, the virus was STILL THERE!!

It only makes sense that it's affecting the DNS and switching something around in the router. Both my laptop and desktop run through a WiFi router. I have the Linksys WRT150N Wireless-N Home Router.

I have already created a log in the proper forum; it's been a couple of days, but I'm still waiting for a tech to help me with my problem. At least we now have a better idea of how to beat this thing!!!

How do you get rid of it from your router? Do you have to flash and reinstall the firmware?

#3 Gaijin

Gaijin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 01 April 2010 - 08:16 PM

Nah it does not hack anything it just logs in normally and switches the DNS. Linksys routers should have DNS set to 0.0.0.0 for automatic DNS assignment from the ISP, the virus sets these to static numbers. Just log into the router and change it back to 0.0.0.0 save and restart the router, all fixed. :thumbsup:

As I am not a moderator of any sort you do this at your own risk, but its quite easy...

Open a command prompt by clicking start, then run
Type CMD in the prompt and press ok
Type IPCONFIG in the dos box and press enter, note your default gateway address.
Open an internet explorer page and type the gateway address in the address bar, hit enter.
When prompted for a username and password type admin for the username and admin for the password (This is the default Linksys log in, if you have manually changed it to something else use that)

I believe on the WRT150N you will find it under setup then the sub-category basic setup, you will see 4 lines possible for manually entering DNS. If you see numbers there that is your problem. They should all be 0.0.0.0 which indicates automatic setting.

Hope that helps.
Tom

Edited by Gaijin, 01 April 2010 - 08:50 PM.


#4 quik4life

quik4life

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 02 April 2010 - 12:06 AM

Alright...so I switched all DNS entries on my router back to 0.0.0.0. They were changed to the exact addresses that you specified in the first post of this thread. I saved the changes, and voila!! Everything worked. I was able to browse freely again.

So, I updated MBAM and SAS and did a complete scan. I ran both of them in normal mode. MBAM found some bad cookies, but nothing as if it would relate to the Online Protection Tool virus. I dunno....maybe it was. I couldn't tell. I ran SAS but it didn't find anything. Then, I downloaded Microsoft Security Essentials. I ran it on my laptop and it came up clean. I was going to run in on my desktop as well, but I have so much stuff on that comp it seemed like the scan was gonna take well over an hour to complete, so I'm going to save that for tomorrow.

So far, so good.

#5 Gaijin

Gaijin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 02 April 2010 - 01:53 AM

Glad to hear that it worked, you had not actually gotten the virus on the computer yet, it adjusted the router when you had it the first time. After the format, your computer was actually clean, the DNS was only redirecting you to a site that would pull up the page you requested with a bit of code inserted that would show you the pop up advertisment only every third time or so, only essentially an advertisment at that point. If you had agreed or accepted it, then you would have gotten the virus back on the computer. Im confident and that the problem is fixed now :thumbsup:

If you change the default password on the router from admin to something else, I would bet diamonds to doughnuts that it would never get in your router again, even if your computer re-caught the virus.

Edited by Gaijin, 02 April 2010 - 02:00 AM.


#6 pauld1957

pauld1957

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 03 April 2010 - 09:16 AM

I had a similar experience. I had the online protection tool popup. I couldn't download updates to malaware or superantispyware. My Norton 360 scan came up with no malware detected.
I reset my router to factory defaults and the problem disappeared. I can now download updates. I don't see the popup anymore.
My daughter who was home from college was seeing the popup on our home router before it was reset, but did not encounter it on her college network.
I notice that there are a number of posts with people trying to clean online protection tool. If some administrator can point them to this solution, that would be helpful.

#7 RustyHavoc

RustyHavoc

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:12:31 AM

Posted 20 April 2010 - 11:32 PM

Thank you so much! It was driving me crazy trying to figure out what was wrong. I did what you said and everything appears to work now!
HP Pavilion dv4, AMD Turion™ X2 Dual-Core Mobile RM-75 2.20 GHz, 4 GB RAM, 218 GB HDD, ATI Radeon HD 3200 Graphics, Windows Vista Home Premium 64-bit, Internet Explorer 9, gmail, avast! 6, Malwarebytes, SpywareBlaster




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users