Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

the page does not support your version of browser


  • Please log in to reply
13 replies to this topic

#1 chuckmerja

chuckmerja

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 29 May 2011 - 11:14 PM

Home network of 1 hardwired and several wireless computers, all Windows XPPro or Win7. Situation...HArdwired computer is on most days and has had a srvhost memory leak issue, and has been pretty slow browsing, even though we have a 5 Mbit pipe to the house. Today a daughter was on her laptop and connected to network wirelessly and got a policeman icon with "the page does not support your version of browser" and an "update" icon. She could not browse - any request resulted in "the page does not support your version of browser" error. She did NOT click the update icon. She had AVG2011 up to date, and a scan showed no issues. She downloaded (using the hardwired computer) anti-malware software and did a scan, which found 90ish issues, which it claimed to cure, and new scans of laptop appeared clear, but she still gets the error.

I came home and tried my laptop, which had run on our network either this AM or last night just fine, and got the same browser version error. Also tried my wife's machine (also wireless) and got the same issue.

Browsers on 3 of the 4 machines checked and were set to "get automatically" - no proxy. We use Mozilla primarily, but IE had same issues on 2 computers that I checked.

Did hard reset of the router (Linksys G) which had "linksys" as the SSID - I know, but I live miles from anyone and any traffic. Didn't expect have a router problem via the internet, but I think that might be what happened. Anyway, turned off daughter's and wife's computers and did hard reset and then changed SSID, but left security off. Did the work on the router via the hardwired computer - which I'm now thinking is my culprit. HAd to reset my laptop to have it pick up new SSID which it did, BUT I still get the browser error. So I did an ipconfig /all on that laptop (and this desktop) and now have a hint...

Desktop -

IP address 192.168.1.108
Default Gateway 192.168.1.1
DHCP Server 192.168.1.1
DNS Servers - appropriate for my ISP

Laptop -

IP address 192.168.1.161 (above the 192.168.1.149 upper range of the Linksys router)
Default Gateway 192.168.1.1 (ok, one out of 4 is ...)
DHCP Server 192.168.1.108 (yup - that's my desktop computer!)
DNS Servers - 188.229.88.7 (not even close to my ISP servers)!!!

So, my desktop is the dhcp server and is redirecting to not my ISP. I'm writing this on the desktop, just before I turn it off for the night and then try to find my router without it handing out DHCP stuff. Hope I can read any replies and post more results here later tonight or tomorrow :o))

THANKS!! Chuck

Edited by Blade Zephon, 30 May 2011 - 10:26 AM.
Moved to AII as no logs provided and Prep Guide not followed. ~BZ


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:02 AM

Posted 30 May 2011 - 10:27 AM

She downloaded (using the hardwired computer) anti-malware software and did a scan, which found 90ish issues, which it claimed to cure, and new scans of laptop appeared clear, but she still gets the error.

Which software did she download?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Ivan92

Ivan92

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 30 May 2011 - 01:55 PM

Chuck,

There is another thread that is covering this issue:

http://www.bleepingcomputer.com/forums/topic400108.html

#4 chuckmerja

chuckmerja
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 30 May 2011 - 07:41 PM

@Blade -

Sorry, I'm not sure what you mean by no log and prep not followed. I'd be happy to comply, but searched for "prep" and got nothing, and am not sure what log I should have loaded.

Daughter downloaded Maleware's AntiMalware - and found 93ish issues. She was running an up to date AVG2011 on Win 7 machine.

My desktop had a bad experience with AVG2011 about a month ago, and still wasn't running like it's "old self" - slow browsing, memory leak, and more, so it didn't have automatic updates turned on and didn't have a working AV program.

This AM I unhooked the desktop from the network and fired it up - got a "Data Execution Prevention" (DEP) on startup - Spooler SubSystem App from MicroSoft. So I went in and set DEP to all programs, unless I allow. Then began a Malware scan - it is still running some 8 hr later.

With the desktop unhooked, the laptops seem to be working alright on the wireless router.

I did see the other post, although my issue seems to be slightly different - unless I find laptops actually are infected.

PS - Havent' had the guts to visit 188.229.88.8 which was the new DNS.

Thanks, C

Edited by chuckmerja, 30 May 2011 - 07:52 PM.


#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:02 AM

Posted 30 May 2011 - 07:57 PM

Hi.

If it ends up being necessary I'll point you to the prep guide.

We'll try to solve the issue here first though.

So. . . do you get the error regardless of browser?

With the desktop unhooked, the laptops seem to be working alright on the wireless router.

To confirm. . . you're saying that, with the desktop disconnected from the router, you don't have the abovementioned issue?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 chuckmerja

chuckmerja
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 31 May 2011 - 08:45 AM

Thanks -

1 - Yes, the issue seems to be browser independent - we usually use Firefox, but we saw the same issue in IE.
2 - And yes, since the desktop has been unplugged from the network, the wireless laptops seem to be OK, although, yesterday AM I had a couple tabs open in Firefox when I'd put my laptop away overnight. When I opened it up again in the AM, I had some tabs that had the issue reappear, but a refresh of the tab brought up the correct URL.
3 - The desktop is still scanning - over 21 hours of scanning with "AntiMalware" 3xx,xxx files with 19 issues so far.

thanks again...C

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:02 AM

Posted 31 May 2011 - 03:01 PM

Hello,

Please post the log from the scan when it completes.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 DeDeJ

DeDeJ

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 31 May 2011 - 03:41 PM

I have witnessed this problem.

The PC with the policeman-type figure is probably not the infected PC. Someone at my workplace figured this out.
Do an ipconfig /all. We see DNS of 188.229.88.7
Take note of the DHCP server. The ip address of the DHCP server is the infected PC.
Look for the PC with that ip address. Turn it off and the problem will go away.
A coworder of mine discovered this.

A co-workder of mine ran MalwareBytes on the PC 'acting similar to the DHCP server' and found a rootkit.

I am still looking desperately for info about this virus. It must be new.

Good luck
D

#9 capitalistocrat

capitalistocrat

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 31 May 2011 - 07:47 PM

I just spent the day cleaning up this infection in a network of ~50 computers. It's simple once you get down to it and and find the problem computer(s) acting as a DHCP server. I ended up having to look at the IP on each computer until I found the one listed as the DHCP server on the other systems. Once i took this one offline the other computers behaved as they should.

There were actually two acting as a DHCP server i believe, because the one I hunted for had in its settings another DHCP server listed. I took both offline and I'm just going to wipe them clean and not bother with removing the virus. After MB and MSE scans on several other computers I'm convinced that's the extent of the damage, UNLESS of course the user clicked on the "browser update" button. On the one where somebody had done that there's now popups for "Security Solution 2011." Whether this is the chicken or the egg I couldn't say. Sorry for lack of details on cleaning it up but I've got system images saved for these systems and nowadays reimaging is often the faster and definitely the more thorough way to go instead of cleaning up viruses manually(just my opinion).

One thing to mention is that when I looked in the DHCP leases on the server I of course couldn't find the offending computers. I ended up using an IP scanner (like Angry), and even then the offending IP didn't show me a computer name but 1 of the 4 times I did a scan. In a small network this shouldnt be a problem for you as I'm sure you know what computers you have!

Side note - the DNS server IP I was seeing earlier is 188.229.88.7. Thanks, Romania!

EDIT: 24 hours later and everything looks good on my end. Hooray!

Cheers
Noah

Edited by capitalistocrat, 01 June 2011 - 04:48 PM.


#10 Ivan92

Ivan92

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 31 May 2011 - 11:15 PM

I think I have the same issue. I just want to clear something up. Does the default gateway and DNS servers have to be similar? Because mine are very different. I tracked the DNS servers to New York while my default was where I live...

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:02 AM

Posted 01 June 2011 - 02:35 AM

@Ivan92, please start your own topic to avoid confusion,

@everyone else. Thanks for your input. However, many infections can have identical symptoms at first, so this isn't necessarily the same infection. Let's wait and see what the log shows.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 parabolix

parabolix

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 AM

Posted 01 June 2011 - 01:21 PM

I understand that a moderator has indicated to stfu on this topic.
In the interest of saving your network, i'd like to say what worked for me:

this is a mbr root kit which blew by combofix/gmer.. (and symantec enpoint 11 and untangle/clam for me)While combofix showed a rootkit, the dhcp server on these boxes persisted, and when 188.229.88.7 was ACL'ed out, the dhcp server went into a quiet mode and handed out the google dns 8.8.8.8. in fact, reinstalling w/ repair off the xp disc didn't stop it!

using some rather.. odd.. software involving a boot disc and windows client called "unhackme / regrun warrior" it's been 24 hours with no files dropped, rouge dhcp servers, and wireshark says no traffic to 188.229.88.7, so i think it's clean.
It is, unfortunately, payware. The free bit of it teases you into the rest of it, much like prevx, which may also be worth a shot.

#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:02 AM

Posted 01 June 2011 - 01:38 PM

I understand that a moderator has indicated to stfu on this topic.


Not what I said. . . I merely offer caution that what appears similar may not indeed be so. We need more information.

As with the others, thank you for your input.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 cjon

cjon

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 05 June 2011 - 03:21 PM

FWIW - I had a similar experience as well. Greatis (unhackme/Regrun warrior) offers a free scanner called Reanimator that identified what they called TDL3+, but which others call TDSS. Kaspersky's free TDSSKiller identified and removed it without protest, and the machine now seems to be clean, and others connected to the network no longer get the "red cop" browser error.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users