I’ve read over the other postings in this forum, and I have a similar issue, but with a significant twist.
I went away for the long weekend with my computers and network whole and healthy, when I came home, I went upstairs to log in to my laptop. My wife was downstairs at the same time streaming video through the XBox. As soon as my laptop spun up and started accessing services (dropbox, google drive, media center updater, etc…), the computer started throwing a ton of “Malicious URL Blocked” errors at me. Now, it’ll no longer access the internet at all (everything is blocked).
At the same time that I booted up my laptop, both the desktop and laptop downstairs (same network, always on connection) started throwing the same malicious URL errors. Also, the XBox and my wife’s IPhone get no response from the network.
I took a wild guess and decided that it was unlikely that all of my computers were simultaneously infected with a virus (two of which no one was using at the time), and put my money on the router being the issue. I have DD-WRT installed, and I’m fairly (90%) certain I had a non-default admin user and password set. I did a hard reset (30-30-30) to clear everything out, but to no avail.
In reading up on this, I think I may have a trojan running on my laptop that’s resetting my router DNS and piping my traffic to a known hacker. What I’m wondering is what are the best steps to clean this up, and what all do I need to do after it’s resolved? (Changing bank account passwords, etc…)
When you reset the router did you do a hard reset i.e there is a small hole/button at the back of the router which needs to be pressed to reset to defaults
Yes. I did a 30-30-30 reset (Push small button and hold for 30 seconds, unplug while still holding, wait 30 more seconds, plug back in while still holding for 30 more seconds.) If I’ve understood correctly, that’s as complete a wipe as you can do on a router.
One thing I’m concerned about though, if there’s a trojan on one of my machines, it could well have gotten back to the router immediately after the reset.
[*]Select All Users
[*]Under the Custom Scan box paste this in netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
%systemdrive%$Recycle.Bin|@;true;true;true
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs
THEN
Download aswMBR.exe ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan
[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
So I continued to work on this last night. It turns out it wasn’t a virus.
Here’s what happened:
A couple months ago we switched ISPs. I forgot to set up auto bill pay, and it looks like over the weekend my ISP blocked all outbound traffic and forced a redirect to their bill pay page. Apparently, that redirect set off the malicious URL warning on all of my machines, and since the page was blocked I couldn’t see what was going on.
I resolved the issue with my ISP, which in turn resolved the issue with Avast and all of my machines are humming along fine now.