Oh no! 
Computer #2 is infected again!
Computer #2 was used for browsing for quite some time before it was compromised. A couple of hours at the very least.
This computer was cleaned yesterday, way before the router reset.
OK lets reset this ones DNS etc…
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
FRST64 is taking a very very very long time fixing computer #2. Should I restart it?
And now computer # 1 is infected again!
FRST64 is still running no computer #2.
I opened the log file and it says one of the final commands failed “access denied”.
Apparently the batch file run to the end. But the interface is still loaded. Should I reset the computer?
I have checke FRST’s FixLog in computer # 1 and some of the commands failed:
netsh int ip reset
netsh int ipv6 reset
netsh int ipv4 reset
Each of the above sections in the log have one access denied failure (“Falha ao redefinir. Acesso negado” in portuguese).
I figure this was the problem.
Meanwhile FRST is still running in computer # 2…
Is any one using a USB drive ?
Yes reboot the one that is stuck, some commands will fail for some computers
Bot Computer # 1 and # 3 have USB drives (#1 has an external hd, # 3 has a pen drive.)
I reset Computer #2.
The fixlog had access denied errors on the same sections as #1’s log.
OK let it run for a while now and then let me know of any problems
Well, I did not have to run computer # 2 for a long time. It is infected again. :-X
Computer #3 is not infected yet. But that’s probably because it is not browsing the Internet now.
We’re back at the beggining, I guess.
When you reset the router did you change the password from default
I sure did.
I think I got it now! First I tried to use Chrome on my android phone on my home wifi and… I got redirects too!
Then I searched the internet and I found a discussion on a brazilian BBS about a DNS server on a major ISP (Virtua) being compromised. That’s my ISP!
So I tried the following solution:
- I reconfigured my router’s DHCP server’s DNS server setting. Now clients point to public DNS servers not to my ISP’s DNS server anymore.
- Then I reapplyed the last fix essexboy wrote for each one of my computers.
- Finally I had to remove Chrome from my Android phone and have it reinstalled.
Now everything seems OK. :o
Fingers crossed!
OK that is the first time I have come across a server DNS problem… That means that no matter what we did we could not affect it for long
What ISP was this please ?
The ISP is Virtua. It belongs to a major cable TV and Telephone company in Brasil called “NET”. Their clients are counted by the millions. I don’t know how many of them were configured to use the server that was compromised.
Apparently my computers were not instantly infected because only the first out of the two DNS servers on my DHCP’s default configuration was compromised. As this server was very very slow, it timed out more often than not. So the true DNS server asnwered many of the requests.
It in the news in Brazil. You probably can read it with an online translator:
Some months ago a similar scheme was used to redirect clients to some rogue online banking sites.
Ooops. Wrong link…
It may be worth changing to opendns https://store.opendns.com/setup/#/
I am using a google dns server as primary: 8.8.8.8
I have just changed the secondary server to OpenDNS. Thanks for the tip.
Has that now cured all the problems ?
If so run the following applicable parts on all systems
Subject to no further problems 
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean 
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Remove tools
Download and run Delfix
Select the options as shown
https://dl.dropboxusercontent.com/u/73555776/delfix.JPG
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version
https://dl.dropboxusercontent.com/u/73555776/javara.JPG
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent install this programme to lock down and prevent crypto ransome ware
https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG
Update and run weekly to keep your system clean
Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme 
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe 
My computers seem fine now, and I have cleaned up two of them using essexboy’s instructions.
One problem remains though. During the infection computers connecting via WIFI failed to connect to files and printers on computer #1 while it was connected by cable to the router. All computers had internet acess, but WIFI computers coud not access the computer that was not using WIFI. I circumvented this problem then by disabling computer #1’s cable network adapter. As a WIFI only network this specific problem was gone.
I made this change at the very outset of the infection, that is, prior to resetting the router.
After the plague was gone, I tried to enable computer #1’s network adapter again, but computers using WIFI, still fail to connect to files or printers on it.
Any tips? Any clues?