Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help, Google redirects to a fake flash player update on both pc and mobile.


  • Please log in to reply
35 replies to this topic

#1 pensataq

pensataq

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 07 March 2014 - 01:37 PM

Hi, I seem to have picked up a redirect virus which activates anytime I try and use google or youtube. It goes straight to a dialog box with the following:

 

Warning! your flash player may be out of date, please update to continue

 

I have ran all my virus and spyware programs and nothing has picked it up. I have run:

Avast

AVG

Malwarebytes

spybot

tdskiller

sophos

 

Hopefully someone here can offer some advice, Thanks in advance.

 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:53 PM

Posted 07 March 2014 - 03:36 PM

Hello , what browser are you running? I would like to see these logs.


Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
    Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



    Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  • .
  • Last run ESET.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 pensataq

pensataq
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 07 March 2014 - 04:33 PM

Hi, Thanks for the quick reply and sorry for my delay. Im running windows 8. Heres the minitoolbox log:

 

MiniToolBox by Farbar  Version: 23-01-2014
Ran by pensataq (administrator) on 07-03-2014 at 21:31:46
Running from "C:\Users\pensataq\Downloads"
Microsoft Windows 8  (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================



========================= IP Configuration: ================================

Qualcomm Atheros AR5BWB222 Wireless Network Adapter = WiFi (Connected)
Broadcom NetLink ™ Gigabit Ethernet = Ethernet (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set interface interface="Local Area Connection* 9" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Bluetooth Network Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="WiFi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 12" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 13" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : Pem
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 1E-3E-84-10-75-05
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter WiFi:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Qualcomm Atheros AR5BWB222 Wireless Network Adapter
   Physical Address. . . . . . . . . : 1C-3E-84-10-75-05
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::832:a22b:a737:b960%18(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 07 March 2014 18:19:05
   Lease Expires . . . . . . . . . . : 10 March 2014 18:19:10
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 404504196
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-E6-1A-AF-20-89-84-6A-D8-91
   DNS Servers . . . . . . . . . . . : 50.63.128.135
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : WDS001
   Description . . . . . . . . . . . : Broadcom NetLink ™ Gigabit Ethernet
   Physical Address. . . . . . . . . : 20-89-84-6A-D8-91
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{8223181B-D261-48A6-925B-41DC5AE459B7}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 14:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:10b0:d99:3f57:fefd(Preferred)
   Link-local IPv6 Address . . . . . : fe80::10b0:d99:3f57:fefd%20(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  ip-50-63-128-135.ip.secureserver.net
Address:  50.63.128.135

Name:    google.com
Addresses:  2607:f8b0:4007:803::1007
      74.125.224.64
      74.125.224.65
      74.125.224.66
      74.125.224.67
      74.125.224.68
      74.125.224.69
      74.125.224.70
      74.125.224.71
      74.125.224.72
      74.125.224.73
      74.125.224.78


Pinging google.com [74.125.224.78] with 32 bytes of data:
Reply from 74.125.224.78: bytes=32 time=187ms TTL=51
Request timed out.

Ping statistics for 74.125.224.78:
    Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 187ms, Maximum = 187ms, Average = 187ms
Server:  ip-50-63-128-135.ip.secureserver.net
Address:  50.63.128.135

Name:    yahoo.com
Addresses:  98.138.253.109
      98.139.183.24
      206.190.36.45


Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=191ms TTL=50
Reply from 98.138.253.109: bytes=32 time=239ms TTL=50

Ping statistics for 98.138.253.109:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 191ms, Maximum = 239ms, Average = 215ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 19...1e 3e 84 10 75 05 ......Microsoft Wi-Fi Direct Virtual Adapter
 18...1c 3e 84 10 75 05 ......Qualcomm Atheros AR5BWB222 Wireless Network Adapter
 12...20 89 84 6a d8 91 ......Broadcom NetLink ™ Gigabit Ethernet
  1...........................Software Loopback Interface 1
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 14...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
 20...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.2     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link       192.168.1.2    281
      192.168.1.2  255.255.255.255         On-link       192.168.1.2    281
    192.168.1.255  255.255.255.255         On-link       192.168.1.2    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.2    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.1.2    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 20    306 ::/0                     On-link
  1    306 ::1/128                  On-link
 20    306 2001::/32                On-link
 20    306 2001:0:5ef5:79fb:10b0:d99:3f57:fefd/128
                                    On-link
 18    281 fe80::/64                On-link
 20    306 fe80::/64                On-link
 18    281 fe80::832:a22b:a737:b960/128
                                    On-link
 20    306 fe80::10b0:d99:3f57:fefd/128
                                    On-link
  1    306 ff00::/8                 On-link
 20    306 ff00::/8                 On-link
 18    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\pnrpnsp.dll [67584] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [67584] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\NLAapi.dll [55296] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [21504] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\wshbth.dll [50688] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [66560] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [85504] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [85504] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [72192] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [53760] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [64000] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================

System errors:
=============
Error: (03/07/2014 07:04:01 PM) (Source: Ntfs) (User: NT AUTHORITY)
Description: A corruption was discovered in the file system structure on volume Acer.

A corruption was found in a file system index structure.  The file reference number is 0x9000000000009.  The name of the file is "<unable to determine file name>".  The corrupted index attribute is ":$SII:$INDEX_ALLOCATION".  The corrupted index block is located at Vcn 0xd, Lcn 0xffffffffffffffff.  The corruption begins at offset 3880 within the index block.

Error: (03/07/2014 07:03:21 PM) (Source: Ntfs) (User: NT AUTHORITY)
Description: A corruption was discovered in the file system structure on volume Acer.

A corruption was found in a file system index structure.  The file reference number is 0x9000000000009.  The name of the file is "<unable to determine file name>".  The corrupted index attribute is ":$SII:$INDEX_ALLOCATION".  The corrupted index block is located at Vcn 0xd, Lcn 0xffffffffffffffff.  The corruption begins at offset 3880 within the index block.

Error: (03/07/2014 06:18:59 PM) (Source: Service Control Manager) (User: )
Description: The McAfee AP Service service depends on the following service: mfevtp. This service might not be installed.

Error: (03/07/2014 06:18:52 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 18:07:03 on ?07/?03/?2014 was unexpected.

Error: (03/07/2014 06:18:00 PM) (Source: Microsoft-Windows-Kernel-General) (User: NT AUTHORITY)
Description: 0xc000014d0

Error: (03/07/2014 06:11:16 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (03/07/2014 06:10:41 PM) (Source: Application Popup) (User: )
Description: \??\C:\ComboFix\catchme.sys

Error: (03/07/2014 06:08:24 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (03/07/2014 06:06:12 PM) (Source: Service Control Manager) (User: )
Description: The DirMngr service terminated unexpectedly. It has done this 1 time(s).


Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2014-03-07 18:10:41.911
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


=========================== Installed Programs ============================

 clear.fi SDK - Video 2 (Version: 2.1.2128)
 clear.fi SDK- Movie 2 (Version: 2.1.2112)
µTorrent (Version: 3.3.2.30303)
Acer Backup Manager (Version: 4.0.0.0071)
Acer Device Fast-lane (Version: 1.00.3011)
Acer Instant Update Service (Version: 1.00.3013)
Acer Power Management (Version: 7.00.3011)
Acer Recovery Management (Version: 6.00.3012)
AcerCloud (Version: 2.01.3125)
AcerCloud Docs (Version: 1.00.3204)
Adobe Flash Player 12 Plugin (Version: 12.0.0.70)
Amazon Cloud Player (Version: 2.2.0.399)
avast! Free Antivirus (Version: 9.0.2013)
AVG 2014 (Version: 14.0.3722)
AVG 2014 (Version: 14.0.4335)
AVG 2014 (Version: 2014.0.4335)
Backup Manager v4 (Version: 4.0.0.0071)
Broadcom Card Reader Driver Installer (Version: 15.4.7.1)
clear.fi Media (Version: 2.01.3112)
clear.fi Photo (Version: 2.01.3109)
CyberLink MediaEspresso 6.5 (Version: 6.5.3318_45364)
Dolby Home Theater v4 (Version: 7.2.8000.13)
Dritek Radio Controller (Version: 2.02.2001.0803)
Dropbox (Version: 2.4.11)
eBay Worldwide (Version: 2.3.0630)
Gpg4win (2.2.1) (Version: 2.2.1)
Identity Card (Version: 2.00.3004)
Intel® Management Engine Components (Version: 8.1.0.1252)
Intel® Processor Graphics (Version: 9.17.10.2867)
Intel® Rapid Storage Technology (Version: 11.5.4.1001)
Intel® SDK for OpenCL - CPU Only Runtime Package (Version: 2.0.0.37149)
Intel® Trusted Connect Service Client (Version: 1.24.388.1)
Launch Manager (Version: 7.0.10)
Linux Mint (Version: 15-rev266)
Litecoin (Version: 0.8.5.1)
Live Updater (Version: 2.00.3006)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
McAfee Security Scan Plus (Version: 3.8.141.11)
Microsoft Office (Version: 15.0.4420.1017)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60940.0)
Mozilla Firefox 27.0.1 (x86 en-GB) (Version: 27.0.1)
Mozilla Maintenance Service (Version: 27.0.1)
MyWinLocker (Version: 4.0.14.35)
MyWinLocker 4 (Version: 4.0.14.35)
MyWinLocker Suite (Version: 4.0.14.24)
Norton Online Backup (Version: 2.2.3.51r)
Norton Online Backup ARA (Version: 4.1.0.14)
NTI Media Maker 9 (Version: 9.0.2.9013)
Office Addin (Version: 2.01.3202)
Office Addin 2003 (Version: 2.01.3202)
Qualcomm Atheros Bluetooth Suite (64) (Version: 8.0.0.214)
Qualcomm Atheros WiFi Driver Installation (Version: 11.21)
Realtek High Definition Audio Driver (Version: 6.0.1.6657)
Shared C Run-time for x64 (Version: 10.0.0)
Shredder (Version: 2.0.8.9)
Sophos Virus Removal Tool (Version: 2.4)
Spotify (Version: 0.8.4.99.ga249b5f1)
Synaptics Pointing Device Driver (Version: 16.3.4.0)
Visual Studio 2012 x64 Redistributables (Version: 14.0.0.1)
Visual Studio 2012 x86 Redistributables (Version: 14.0.0.1)
Visual Studio Tools for the Office system 3.0 Runtime
Visual Studio Tools for the Office system 3.0 Runtime (Version: 9.0.30729)
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (Version: 1)
VLC media player 2.1.1 (Version: 2.1.1)

========================= Memory info: ===================================

Percentage of memory in use: 22%
Total physical RAM: 8007.27 MB
Available physical RAM: 6188.65 MB
Total Pagefile: 9223.27 MB
Available Pagefile: 7360.78 MB
Total Virtual: 4095.88 MB
Available Virtual: 3975.23 MB

========================= Partitions: =====================================

1 Drive c: (Acer) (Fixed) (Total:679.19 GB) (Free:566.89 GB) NTFS

========================= Users: ========================================

User accounts for \\PEM

Administrator            Guest                    pensataq                 


**** End of log ****
 



#4 pensataq

pensataq
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 07 March 2014 - 04:40 PM

Hi, Sorry Ive run the TDSkiller and got the log but there is no option to copy and paste and there seems to be no menu even with a right click. Is there another way of copying the text?



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:53 PM

Posted 07 March 2014 - 08:00 PM

If nothing was found then that's fine. If it showed something can you just type what it was and what it said it did with it.

You have 2 AV's

avast! Free Antivirus (Version: 9.0.2013)
AVG 2014 (Version: 14.0.3722)
AVG 2014 (Version: 14.0.4335)
AVG 2014 (Version: 2014.0.4335).
I would remove these in Control Panel and reboot.

More than one AV will conflict and cause slowness.

 

Run ESET

 

What browser do you use and have the Redirects stopped?


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 pensataq

pensataq
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 07 March 2014 - 08:22 PM

Hi, I think I've managed to stop the redirects by hard resetting the router. Didn't realise I could get a virus on the router but when it starting happening to other devices on the router I put two and two together. Well its worked up to now so fingers crossed. Thanks for the advice and I will remove one of the anti virus programs.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:53 PM

Posted 07 March 2014 - 08:47 PM

That is possible and rare,but it does happen.

Look up you router brand and be sure to set the security so it won't happen again.


Here's Linksys

Edited by boopme, 07 March 2014 - 08:49 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 BigTed

BigTed

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 08 March 2014 - 03:17 PM

Hi,

 

This happened to me as well (twice), something is changing the addresses for DNS on my Edimax router.

 

I found this thread because you too had your primary DNS address reset to 50.63.128.135.

 

This seems to be a server in the States:

 

server location:

Scottsdale in United States

ISP:

GoDaddy.com, LLC

 

 

 

I reset all my browsers scanned the machine with Microsoft & Malware bytes but found nothing.

 

I'd like to understand how this has happened to my router - I changed the password for setup after the first attack and ~I don't allow my browser to cahce passwords for anything so I'm interested in how the virus:

 

1. Got into my router

2. How I can isolate it

 

I'll go through the list of work from the 2nd post and see if that gives some more info.

 

Thanks for any tips in the mean time.

 

Ted.

 



#9 pensataq

pensataq
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 09 March 2014 - 03:43 PM

Thanks Ted,

Its strange, I remember having a similar problem a few years ago which i never got to the bottom of, in hindsight I think it was probably a redirect virus on the router aswell. I have a TPLink W890g router but I have no idea where the virus could have come from!



#10 WBenn

WBenn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 09 March 2014 - 07:40 PM

I had the same happen on a TP Link Wireless G router today. From a Virus that was a DNS changer, it set the routers DNS IP addresses to 50.63.128.135 and 8.8.8.8

Don't know how it accessed the router as the default password had been changed. Any device connected to this broadband router had its home page redirected with a message to update to flash player pro.

Flash player pro is fake (usually anything added as pro is usually fake to con you into thinking it must be the best program in the world)

This then load ransomware if you installed the fake flash player.

 

Yes check your PC for virus infection, but check the DNS settings in your router. They should be set to 0.0.0.0 or Auto. Reset router to factory settings as a last resort.

You know that if multiple devices PC, MAC, iPhones & iPads all on the same WiFi network are doing the same redirecting to the fake adobe flash pro site it is the routers DNS settings changed.

 

Information on DNS Changer Malware

 http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf


Edited by WBenn, 10 March 2014 - 03:21 AM.


#11 BigTed

BigTed

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 10 March 2014 - 07:56 AM

Hi,

 

I've scanned the PC with TDSSKiller and ESET - it all came up clean.

 

Something reset the DNS from my default setting again this morning, I'm trying create a process that causes it to reset so I can trac down what is running where, but I've had no luck in finding the correct sequence to force it to happen.

 

I use Googles DNS servers so I normally have 8.8.8.8 & 8.8.4.4 configured.

 

I'll keep trying to isolate the change.

 

Ted



#12 BigTed

BigTed

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 10 March 2014 - 07:58 AM

I have also went through my non plug a play drivers looking for anything unusual but they all looked ok.

I've started the PC with boot logging enable as well to see if I could see something obvious but no luck so far.

 

Ted



#13 Microcroft

Microcroft

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 10 March 2014 - 02:51 PM

Exactly same problem here with the TP Link TD-W8901G Router getting my DNS redirected to 50.63.128.135! Keep hard resetting my router as a work around. Check PC for rootkits and Malware but nothing detected. Phones and PC all getting redirected so definitly the router, but what's doing this?

 

Hope someone finds a fix!


Should have mentioned I upgraded the Firmware today to latest version



#14 WBenn

WBenn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 10 March 2014 - 03:13 PM

Found an interesting YouTube Video on the hacking of a TP Link ADSL Router which a Virus must be using java script to exploit the security weakness in these TP Link ADSL Routers.

I've been talking to someone else who has a client with this same problem, need to find out if it is a TP Link ADSL Router.

 

http://youtu.be/wy4n8a3dy0Q


Edited by WBenn, 10 March 2014 - 03:22 PM.


#15 Inveryes

Inveryes

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 10 March 2014 - 06:40 PM

Exactly same problem here with the TP Link TD-W8901G Router getting my DNS redirected to 50.63.128.135! Keep hard resetting my router as a work around. Check PC for rootkits and Malware but nothing detected. Phones and PC all getting redirected so definitly the router, but what's doing this?

 

Hope someone finds a fix!


Should have mentioned I upgraded the Firmware today to latest version

 

We have the exact same problem with the same router, Microcroft

 

http://www.bleepingcomputer.com/forums/t/526594/has-adobe-update-virus-immobilised-my-pc-phone-and-ipad/






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users