Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Homeland Security Virus: Please Help


  • This topic is locked This topic is locked
30 replies to this topic

#1 jknick9

jknick9

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 25 November 2013 - 06:09 PM

Acer Aspire 5733Z laptop, Windows 7 OS infected with Homeland virus. Now with problems connecting to the internet via ethernet cable. IP address reads 169.254... from forum searching i've gathered that is b/c it isn't receiving a network address. The other laptop I have is connected via the same cable fine. 

I'm running the infected computer in safe mode currently, i've done several system restores, I'm currently running malware bytes to see if anything pops up that I can remove. 

for the networking issue i've already tried the netsh reset stuff in the cmd prompts... nothing seemed to be working. 

Any suggestions on getting this virus off my laptop would be awesome and appreciated. 

 

thank you!! 

 

jknick



BC AdBot (Login to Remove)

 


#2 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 25 November 2013 - 06:53 PM

So Malwarebytes located 2 infections one of which was trojan related naturally... i clicked remove but on reboot the virus was still present :( 



#3 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 25 November 2013 - 09:34 PM

ok some kind soul pm'd me with tips and things to try that worked for removing the virus... using a bootable AV USB. So all cleared up there BUT can't access the internet still. IP address still coming back 169.254 something when i plug the ethernet cable in there with no default gateway... yet on the other machine the address is 174.102.106 etc. and a default gateway present. 
I already tried plugging in all the numbers from this computer into the other one when it's plugged into the ethernet but no dice. 

taking any suggestions or help...

thank you!

jknick



#4 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 26 November 2013 - 04:28 PM

My Acer Aspire Laptop was infected with the Homeland Virus... It would still browse the internet via my ethernet connection, in safe mode. I had an issue that I needed to plug in a working laptop for and as soon as i unplugged the ethernet cable from the infected computer into a different working one... and then replugged into the infected one... it gave me this identifying spinner forever and ever... 

i searched forums for a fix and tried a bunch of cmd prompts etc. nothing has worked. I ended up getting rid of the virus via hitman pro bootable av usb... and i've tried refreshing ip etc. nothing is working :( 

if anyone could help me out with this that would be fantastic. i am losing faith. 

 

x

 

add:  So I've been raking forums looking for answers... trying different things and notice that i had exclamation points on the Ancillary Function Driver for Winsock... as well as HTTP ... so I uninstalled and restarted and they are just gone. Now i'm trying to figure out how to get them back... i downloaded some dll suite and put it on the sick laptop but it doesn't look like it's doing anything. I tried sfc /scannow and it said it couldn't preform operation. when this dll thing stops i'm going to try scannow again in safe mode... sheesh. :'(


Edited by jknick9, 26 November 2013 - 10:21 PM.


#5 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 28 November 2013 - 09:43 PM

I'm also attaching some logs i ran trying to troubleshoot from other threads etc. nothing is working :'( 
 
Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation.  All rights reserved.
 
C:\Windows\system32>netsh advfirewall reset
 
An error occurred while attempting to contact the  Windows Firewall service. Mak
e sure that the service is running and try your request again.
 
 
C:\Windows\system32>netsh branchcache reset
The following command was not found: branchcache reset.
 
C:\Windows\system32>netsh branch cache reset
The following command was not found: branch cache reset.
 
C:\Windows\system32>netsh int ip reset c:\resetlog.txt
Reseting Global, OK!
Reseting Interface, OK!
Reseting Unicast Address, OK!
Reseting Route, OK!
Restart the computer to complete this action.
 
 
C:\Windows\system32>netsh int ipv6 reset
There's no user specified settings to be reset.
 
 
C:\Windows\system32>netsh winsock reset
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
C:\Windows\system32>
 
C:\Windows\system32>
 
C:\Windows\system32>
Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation.  All rights reserved.
 
C:\Windows\system32>ipconfig /renew
 
Windows IP Configuration
 
No operation can be performed on Wireless Network Connection 2 while it has its
media disconnected.
An error occurred while renewing interface Local Area Connection : The RPC serve
r is unavailable.
 
 
C:\Windows\system32>ipconfig /renew
 
Windows IP Configuration
 
No operation can be performed on Wireless Network Connection while it has its me
dia disconnected.
No operation can be performed on Wireless Network Connection 2 while it has its
media disconnected.
An error occurred while renewing interface Local Area Connection : The RPC serve
r is unavailable.
 
 
C:\Windows\system32>ipconfig /flushdns
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
C:\Windows\system32>tracert google.com
Unable to resolve target system name google.com.
 
C:\Windows\system32>ping google.com -t
Ping request could not find host google.com. Please check the name and try again
.
 
C:\Windows\system32>ipconfig /all
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : Shawnn-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Peer-Peer
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : columbus.rr.com
 
Wireless LAN adapter Wireless Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
   Physical Address. . . . . . . . . : E2-F8-DA-68-56-96
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Wireless Network Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : Belkin
   Description . . . . . . . . . . . : Atheros AR5B95 Wireless Network Adapter
   Physical Address. . . . . . . . . : C0-F8-DA-68-56-96
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : columbus.rr.com
   Description . . . . . . . . . . . : Broadcom NetLink ™ Ethernet
   Physical Address. . . . . . . . . : B8-70-F4-E2-1E-0C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::fdc2:3d98:a1cb:1013%11(Preferred)
   Autoconfiguration IPv4 Address. . : 169.254.16.19(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 209.18.47.61
                                       209.18.47.62
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.{1635143F-CCF8-44CB-A4E6-9C3568ACE920}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.Belkin:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.columbus.rr.com:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : columbus.rr.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
C:\Windows\system32>
 
 
i also have a couple screen shots of within the registry that shows the ip config of the wireless and ethernet adapters.... i can't figure out how to insert them here... 
i've tried everything short of going back to factory settings... the drivers all up to date... ugh.



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 AM

Posted 29 November 2013 - 04:59 AM

Hello -

I am not sure who sent the "procedures" to you, but we do not do it here.

Some infections are not always the same - Please tell me if any match the infection that you have =>
Homeland Security Ransomware Removal Guide
Department of Homeland Security
Homeland Security ransomware
 

Thank You -



#7 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 29 November 2013 - 11:12 AM

You're asking which virus it was? It was the first one, the Homeland Security Ransomware... 



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 AM

Posted 29 November 2013 - 04:13 PM

Hi -

Do you think that you are able to follow the directions in the guide provided ??

This was another reason for checking the exact version of your infection (some sound similar).

 

Please tell me if the directions are not suitable for you, and I will get a helper to guide you through it.

 

Thank You -



#9 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 29 November 2013 - 05:02 PM

Hey! yeah I already removed the virus... using those directions. my problem now is that I can no longer get on the internet.... the network is stuck on Identifying. And as I noted here I have tried everything to get it back to identifying to no avail. So I need assistance with fixing my networking issues at this point. 



#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 AM

Posted 29 November 2013 - 05:21 PM

Hi -

Ransomware infections usually come with a few side infections also.

From here we need to treat it as another infection that is blocking your internet -

Do you normally use Ethernet (wired) or Wireless internet connection -

 

 

Please scan your computer with ESET Online Scanner
Disable active Antivirus and Antimalware programs How To Temporarily Disable Your Anti-virus
This scan is best performed with Internet Explorer, as it uses ActiveX
If you will not / do not use Internet Explorer, then please read item 3 in this post
1 - Open Internet Explorer and hold down Control (Ctrl) key and click on This Link to open ESET OnlineScan in a new window.
2 - Click the ESET Online Scanner button.
3 - For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

3 - a - Click on eset.exe to download the ESET Smart Installer. Save it to your desktop.
3 - b - Double click on the  icon on your desktop.

Vista / Windows 7 & 8 users may need to Right click on the icom and select Run as administrator.

4 - Check "YES, I accept the Terms of Use."
5 - Click the Start button.
6 - Accept any security warnings from your browser.
7 - Under scan settings, check "Scan Archives" and "Remove found threats"
8 - Click Advanced settings and select the following:

* Scan potentially unwanted applications
* Scan for potentially unsafe applications
* Enable Anti-Stealth technology

9 - ESET will then download updates for itself, install itself, and begin scanning your computer.
10 - Please be patient as this will take some time (first time scans are always longer).
11 - When the scan completes, click List Threats
12 - Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
13 - Click the Back button and then Click the Finish button.
NOTE:Sometimes if ESET finds no infections it will not create a log.
If you lose the log it can be found at C:\Program Files\ESET\EsetOnlineScanner\log.txt
If no infections are found then please just tell me -
You can ignore any ESET detection of AdwCleaner...it is a false positive detection.

 

Thank You -



#11 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 29 November 2013 - 05:34 PM

Wired/ Ethernet connection. I have another laptop that I am on currently that is getting on the net so I can move files from the working one to the non-working one. 

My firewall on the non-working one is off and I disabled Malwarebytes... and I did put the ESET scanner on the non-working one however, since it can't get online the Scan isn't working... 



#12 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 AM

Posted 29 November 2013 - 07:12 PM

What happens if you remove the cable from the good computer...........
Now plug into the sick unit and try a few things - Is the computer recognised at all ?

Next -
Go - Start > Control Panel > Internet Options > Connections > LAN Settings - What is listed in the box(es) ?
Again Control Panel > System > Device Manager > List the ( ? ) and ( ! ) shown in Red or Yellow.



#13 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 29 November 2013 - 07:20 PM

When I plug into the sick computer It recognizes the ethernet is plugged in, but it just says 'identifying network' with a spinner wheel indefinitely... 

 

I did at one point look in the device manager for red or yellow highlighted items and I didn't see any until I selected to show hidden items. Then under non-plug and play drivers, the Ancillary Function Drive and HTTP were marked with the yellow exclamation point and said that some components were missing. So I deleted them then restarted to see if they'd reinstall and they did not come back. Nothing else in the device manager was highlighted...



#14 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 AM

Posted 29 November 2013 - 10:22 PM

OK -

Internet is not required for this and it may do something -

Go - Start Orb > In the search box type CMD and Right click on the black box at the top > Type sfc /scannow and press Enter.

NOTE the space between the c and / (it must be there)

This will take (on average) 15 to 20 minutes to run, and please do not touch the keyboard once it starts.

It should finish and I hope it says (basically) all was good - Note any "odd" wording -

 

Repeat from the start, bur this time type chkdsk /r and press Enter. When the message pops up and asks do you want to schedule a check, tick yes and Reboot the computer.

NOTE the space is between k and / this time

This will take (on average) 90 to 120 minutes and seem like it is in safe mode during the scan.

Do not force a reboot as you may lose data, and cause problems, the computer will restart after the check is completed.

 

Thanks -


Edited by noknojon, 29 November 2013 - 10:38 PM.


#15 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 29 November 2013 - 11:12 PM

this is the scannow result: 

 

Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation.  All rights reserved.
 
C:\Windows\system32>sfc /scannow
 
Beginning system scan.  This process will take some time.
 
Beginning verification phase of system scan.
Verification 85% complete.
 
Windows Resource Protection could not perform the requested operation.
 
C:\Windows\system32>
 
 
and the chkdsk is currently running. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users