Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Flash update virus on my router?


  • Please log in to reply
2 replies to this topic

#1 Reboot153

Reboot153

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 02 June 2014 - 01:17 PM

Hi everyone,

I've been researching and fighting a problem that has been occurring on my home network for the past couple of weeks.  I've seen this behavior mainly on my desktop computer where a browser window will open warning me that I need to update the flash player for security reasons.  I'm a seasoned IT professional so I knew this was malware right off the bat and started performing scans of my computer.  Both Malwarebytes and my Vipre antivirus have come back stating that my computer is clean but the problem is still happening.  The most confusing aspect about this problem is that this behavior is occurring across multiple devices and platforms.

While browsing the net on my iPad, links within a trusted retailer website took me to radically different advertisement webpages.  My finance has experienced the same behavior on her Kindle HD and I've also noticed the same behavior on my Motorola RAZR M smartphone.  Each time this happens it's only at our home and when we're connected to our LAN (my smartphone doesnt show this behavior if I'm on a different Wi-Fi or using my data plan).

I've checked my router and it doesn’t appear as though any changes have been made.  The DNS settings don’t appear to have been changed (though I'm tempted to update them to 8.8.8.8 and 8.8.4.4 tonight when I get home).  All of my passwords and settings for the router were intact and it doesn’t appear to be tampered with.  Aside from resetting the router back to factor specs I can’t think of what I can do to fix this problem.

The list of equipment affected so far is:
Desktop: Windows 7 SP1 using IE 9 and Firefox 29
Laptop: Windows 7 SP1 using IE 9
iPad, 1st Gen using Safari
Amazon Kindle HD, Android 4.1.2 using embedded browser
Motorola RAZR M, Android 4.4.2 using Chrome 35 mobile

I've performed both Malwarebytes scans and Vipre antivirus scans on my desktop computer and they keep coming back clean each time.  I've even gone so far as to uninstall unused programs to cut down on the number of files the software has to scan so I can save time.  I've checked the router to confirm that it hasn’t been tampered with and it appears (from what I can tell) that everything is fine.

Has anyone heard of a virus that affects a router to redirect browsers to infected websites or advertisement pages?  I can’t think of what else could be causing this kind of behavior.  Please let me know if there is any additional information I can provide that would help.

Thanks,

-Reboot



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:11 PM

Posted 02 June 2014 - 06:57 PM

Welcome aboard p22002758.gif

 

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
  • List Restore Points

Click Go and post the result.

p22002970.gif Please download Malwarebytes Anti-Malware to your desktop.
NOTE. If you already have MBAM 2.0 installed scroll down.

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:

    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.



If you already have MBAM 2.0 installed:

  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


How to get logs:
(Export log to save as txt)


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.



(Copy to clipboard for pasting into forum replies or tickets)

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.


p22002970.gifDownload Malwarebytes Anti-Rootkit from HERE to your Desktop.
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt


p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.
Do NOT use spoilers.
Do NOT edit your reply to post additional logs. Create new reply. I'll not get any email notifications about edits so I won't know you posted something new.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Reboot153

Reboot153
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 02 June 2014 - 09:12 PM

Hi Broni,

 

Thank you for your post and instructions but I have a feeling that you may not have read my information correctly.  I cited five different devices that were exhibiting this problem and only two of them will run the programs you've listed.  Also, I mentioned that I'm an IT Professional (fourteen years in the industry) and that the problem was not related to infectious software.

 

After returning home tonight I checked my router against default settings and I found that two of the three DNS addresses had been bypassed with static addresses.  The first DNS entry was for 97.64.183.164.  When researching this DNS server I found that it was associated with Mediacom, my ISP.  The second DNS address was 184.107.180.178 which is associated with iWeb Technologies in Canada.  Doing a Google search on the address returns pages of redirect issues and posts on various forums (Bleeping Computer included).  The third DNS address is 69.65.41.30 which is owned by Giganet USA, a web hosting company, not a DNS service.  All of their Google results point towards routers being compromised and pointing towards malware websites.

 

Now, what I have to say next may upset you (and possibly others) and I apologize in advance for that.  You need to read a post before you begin trying to help someone.  I know you were doing your best to assist but the fact that you simply copy/pasted a form letter as a reply tells me that you're not considering what I'm saying.  If nothing else, you didn’t identify which device to run the scans on.  When I'm working with someone on a computer problem I always make it a point to listen to what he or she is saying because any minor detail can make the difference in fixing the problem.  You completely missed the fact that I stated this was happening across multiple platforms and devices.  There's no known malware that works in such a manner and because you were instructing me to look for such a problem tells me that you didn’t read my post.

 

Thank you for your time.  You can consider this issue resolved and can now lock the thread.

 

For anyone that is interested in the fix for this issue, here are the steps I took to resolve the problem: (these instructions are for a Cisco Linksys E2000 router but should work for any make/model of home routers)

 

  1. Log into the router and navigate to the “Status” page and selecte the “Router” sub-menu
  2. On the status page you will see a variety of information, the most important being DNS1, DNS2 and DNS3.  Each of these fields should be populated with an IP address
  3. In a new tab/browser, perform a Speed Guide search on these DNS addresses to determine their owners:
  4. Go to their address: http://www.speedguide.net/ip/<ip address here> (for example: http://http://www.speedguide.net/ip/97.64.183.164 was my Mediacom DNS server)
  5. Confirm that each DNS address is a valid ISP server for your ISP (Mediacom, Time Warner, Comcast, etc)
  6. Write down any DNS addresses that are not associated with your ISP
  7. Going back to your router page, select the “Setup” menu and select “Basic Setup” sub-menu
  8. Confirm if any of the suspicious DNS addresses are listed as a “Static DNS” in the router configuration
  9. If there are any static DNS addresses, remove them by filling each address field with a zero.  For a more secure option, you can enter Google’s DNS servers.  Their addresses are: 8.8.8.8 and 8.8.4.4
  10. Save the changes to the router and reboot it

 

This should remove the hijacked DNS addresses and, with static DNS addresses entered in, prevent unauthorized users from entering their own addresses back into the router.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users