Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Connection might be hyjacked


  • Please log in to reply
21 replies to this topic

#1 McWheels

McWheels

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Sunny, (now might be oily), beach of Florida
  • Local time:02:22 AM

Posted 01 May 2010 - 10:45 AM

My wife handed me her laptop the other day and the desktop was littered with popups for free virus scans and warning messages that she was seriously infected. I have two laptops and the two desktops I built on a home LAN with the two laptops connected wirelessly. I immediately noticed a major slow-down on all the computers.

The Internet connection on the infected laptop is comprimised and initially, it tried to go where ever it wanted but nowhere you wanted it to go. So I ran a several month old version of Malwarebytes software in quick mode to try and fence this thing in. It got 10 objectes and I removed them. My next intension was to download the latest version and run it in full mode but now, I have no Internet connection at all on that laptop. Not only that, now, if I attempt to start that laptop in normal mode, my entire Internet connection goes down including the two desktops that are wired. On the clean laptop, where I am now, the networking software reports a good connection to the router but no connection between the router and the Internet if the infected computer is turned on. If I shut the infected latop down and wait a bit, I was able to "refresh" my router's DNS settings and regain Internet access.

I have been trying to open the infected laptop in safe mode without networking now and I downloaded what I hope to be the latest version of Malwarebytes on another computer and burned it to CD. I put that in the infected computer and installed it. It has been running for a while and hasn't found any infected objects yet. I might have eliminated part of the threat but the side affects still remain. My Outlook can't access the Internet and I went through the process of clearing and deleteing and resetting IE. I have IE7 on my main, (IE8 still blocked), but I'm not sure which version is on the infected laptop but it will be either IE7 or IE8.

When I open "Internet connections" Besides the "LAN connection" and the "Wireless Connection" that I expected to see, there is another Internet connection that was connected and called "Internet Gateway." I immediately disabled it and deleted it but upon restart, it was back again. This time, I disabled it but left it there hoping its presence will preclude the formation of a new edition of it.

When I attempted to restore my connection through the "Wireless Connection" to the router from the infected computer, my Wireless connection corrected itself and connected but then, the connection from the router to the Internet fails immediately. So, that's about where I'm at. AH, The full scan just popped up one infected object after running almost two hours. I suspect it is going to take a little more that this scan to fix her computer this time. I also think that her HP laptop was one of those that you were suppose to burn your own restore CDs from the hard drive and I never did and she can't remember if she did or not or where they might be. So I'm not sure where to go from here. Any ideas would be greatly appreciated, thanks.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:22 PM

Posted 07 May 2010 - 12:38 AM

Try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner. It would be best run in Safe Mode.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 McWheels

McWheels
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Sunny, (now might be oily), beach of Florida
  • Local time:02:22 AM

Posted 08 May 2010 - 11:53 AM

Try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner. It would be best run in Safe Mode.


THANK YOU, I will try that now.

I was able to download a recent version of Malwarebytes Setup and burn that to CD on a good computer which I opened on the infected and was able to setup and run in safe mode. It found one more but that's it. Still, the infected computer trashes my cable Internet connection whenever I enable and allow the infected computer to access the router. I have to shut down for a bit or renew my DNS settings inside the router to restore my Internet connection.

I have a suspicion that I may have over-aggressively gotten rid of the virus or whatever it was but left my Wireless Adapter and Internet software setting completely distorted. I'm not sure how I can restore those settings.

#4 McWheels

McWheels
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Sunny, (now might be oily), beach of Florida
  • Local time:02:22 AM

Posted 08 May 2010 - 12:25 PM

I just figured out that the restore disks that I need are available through HP. They want about fifteen bucks buts that's a lot better than a new laptop. All they wanted was a serial number and since we regerstered that laptop when it was new, they didn't ask anything else. The disks are on the way.

Still puzzles me as to how the virus or rootkit or whatever corrupted the wireless adapter so bad. It not only made it impossible to use IE but Outlook couldn't connect either. That may all be a result of an overloaded connection that my ISP shuts down when I try to connect the corrupted laptop. I was also able to download a new wireless adapter driver. I was thinking about burning that alone with that copy of spyware remover that was previously recommended. It will be a week before I get the CDs so I have time to play.

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:22 PM

Posted 08 May 2010 - 05:16 PM

Did you try the SUPERAntiSpyware scan?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 McWheels

McWheels
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Sunny, (now might be oily), beach of Florida
  • Local time:02:22 AM

Posted 08 May 2010 - 05:49 PM

I DID! I had to run some errons today so I downloaded it earlier and burned it to a CD with a couple other little things. I let it run while I left. When I got back to it, it said it had quarantined some thirty or so items. I looked over the list of items but I couldn't recognize any of the names. To me, the majority of them looked like tracking cookies. But I deleted them all and did all the reboots and I even went into IE to do the advanced-reset option but still, no connection.

The situation is different however. Right now, that computer is ON, right next to me, saying it has an excellent connection while I am connected to the Internet on this particular laptop using the same wireless connection. So, the situation where the entire Internet connection died has disappeared. It used to block this and even my main wired connection but it did so by knocking out the modem connection. I still don't know if that was RoadRunner shutting down my Internet connection when it detected an infected PC. I know they can do that so I suspect that might have been corrected by running the software that you suggested.

I tried her Outlook2000, which has ten years of her pictures stored in, ( I know, I keep telling her. And she has backed up a few things here and there. But I suspect she never backed up Outlook), and it can't connect either. Yet I have the window open to the network connection, still saying it has a five-bar connection. And obviously, I still have a connection. Now I just have to figure out how to restore the laptops connection to its own Internet connection.

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:22 PM

Posted 08 May 2010 - 05:53 PM

What operating system does the computer have?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 McWheels

McWheels
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Sunny, (now might be oily), beach of Florida
  • Local time:02:22 AM

Posted 08 May 2010 - 06:25 PM

Everything I have has XP home SP3 except my destop that has XP-PRO SP3. So far, after I did the Explorere reset, I renamed the HOSTS file and used the MS Sample version in place of it to make sure it wasn't blocking anything. I went to check the Windows Firewall and learned that it seems to be connected to the smae service as "Internet Connection Sharing" which I promptly shut down and disabled. So I started that service and I checked inside Explorers advance setting to check all the security settings. Everything is set to default and all the website block lists are blank. Then, even though I manually typed in "http://www.google.com" into the homepage text box and saved it, when I restart Explorer, it attempts to connect to "http://go.microsoft.com/fwlink/?linkID=74005". I am guessing that is some kind of MS default thing.

But Outlook still doesn't connect either even though the computer still reports an Internet connection. The weird part is that when I run MS's "Diagnose Your Internet Connection" thing in Explorer, it runs for a bit and then tells me to check my modem connections. Eerily similar to the way the Internet was being blocked before but yet, I can access this forum on this laptop. Makes me wonder if RoadRunner has a way to block specific MAC addresses now or something. Everything else on the computer seems to be functioning normally except it boots a helll of a lot faster since I stripped down the registry and startup folders to the bare mininmum. I think it might be okay if I can restore the Internet connection.

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:22 PM

Posted 08 May 2010 - 07:04 PM

Try this:

http://majorgeeks.com/WinSock_XP_Fix_d4372.html
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 McWheels

McWheels
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Sunny, (now might be oily), beach of Florida
  • Local time:02:22 AM

Posted 09 May 2010 - 06:57 AM

You ARE the man! That little program appears to have restored IE's ability to connect. The first place I went was MS Update and it wanted to install its "genuine Windows Validation tool" and that installation failed. So I wasn't able to update there just yet. I noted that the bug completely disabled the AVG Free so it wasn't starting up. Simple enough to just delete it and I will download and install a new copy when I'm done.

I did a reboot or two, found my "IE8.0 blocker" program and set it to UNblock IE8. So I immediately got prompted to install IE8. They should have enough of the bugs worked out now so hopefully that will install and setup okay. Then maybe I can go back to the update site and re-enable automatic updates and replace whatever was corrupted. Then I'll re-install AVG Free and see how it does.

It's so tough to say where she might have picked up this bug but it's seems so hard to sheild yourself these days without taking extra measures. I use AVG Pro on my main machine because it comes with a two-way firewall and I am a firm believer in two-way firewalls. That way, if you do let a bug in, you can trap it and isolate it. I have done that with some freeware programs that I liked but didn't come down the pike very clean. I can download them into a quarantined environment and then watch as my antimalware tools pick it apart and render it helpless. Sometimes, you can get a nice little free piece of software like an FLV convertor or something that way. But the wife doesn't want to be bothered with training a firewall. So I'm not sure what is the best way to protect her computer.

I'll let you know what happens when I'm done piecing this thing back together but THANK YOU very much.

#11 McWheels

McWheels
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Sunny, (now might be oily), beach of Florida
  • Local time:02:22 AM

Posted 09 May 2010 - 07:24 AM

Well, it seems IE8 installed okay but upon return to the Windows Update site, it still wants to install that "Windows Genuine Advantage Validation Tool" and the install still failed. It says to contact the hardware vendor for assistance. But this computer is so far out of warranty that I doubt they would be much help without paying them a substancial fee.

I'll keep trying various way to get updates but I'm not sure what to try next.

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:22 PM

Posted 09 May 2010 - 04:20 PM

Download this file and save it to your desktop:

http://download.bleepingcomputer.com/grinler/rkill.scr

Double-click the file to run it. A command window will open briefly. Then run a quick scan with Malwarebytes. Post the Malwarebytes log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 McWheels

McWheels
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Sunny, (now might be oily), beach of Florida
  • Local time:02:22 AM

Posted 09 May 2010 - 05:18 PM

I read a bit about rkill in another thread on this forum. It sounded like a good tool so I downloaded and used it yesterday. I just tried it again and it produced the very same report. The only process that it reports killing is itself. Both times, identitcle! So I just downloaded the latest Malwarebytes to it and it's scanning now.

Two previous passes yeilded nothing more than a few tracking cookies but I'll try to save the results of this scan.

I really appreciate the help!

#14 McWheels

McWheels
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Sunny, (now might be oily), beach of Florida
  • Local time:02:22 AM

Posted 09 May 2010 - 05:36 PM

This is the log from this machine as of minutes ago...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4084

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/9/2010 6:34:15 PM
mbam-log-2010-05-09 (18-34-15).txt

Scan type: Quick scan
Objects scanned: 127605
Time elapsed: 14 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

...end of log

And connected to this forum on the subject computer for the first time.

Edited by McWheels, 09 May 2010 - 05:39 PM.


#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:22 PM

Posted 09 May 2010 - 05:41 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users