Network compromised - Malicious URL blocked on ALL pcs in on my network

Hi all,

I’ve read over the other postings in this forum, and I have a similar issue, but with a significant twist.

I went away for the long weekend with my computers and network whole and healthy, when I came home, I went upstairs to log in to my laptop. My wife was downstairs at the same time streaming video through the XBox. As soon as my laptop spun up and started accessing services (dropbox, google drive, media center updater, etc…), the computer started throwing a ton of “Malicious URL Blocked” errors at me. Now, it’ll no longer access the internet at all (everything is blocked).

At the same time that I booted up my laptop, both the desktop and laptop downstairs (same network, always on connection) started throwing the same malicious URL errors. Also, the XBox and my wife’s IPhone get no response from the network.

I took a wild guess and decided that it was unlikely that all of my computers were simultaneously infected with a virus (two of which no one was using at the time), and put my money on the router being the issue. I have DD-WRT installed, and I’m fairly (90%) certain I had a non-default admin user and password set. I did a hard reset (30-30-30) to clear everything out, but to no avail.

In reading up on this, I think I may have a trojan running on my laptop that’s resetting my router DNS and piping my traffic to a known hacker. What I’m wondering is what are the best steps to clean this up, and what all do I need to do after it’s resolved? (Changing bank account passwords, etc…)

Any help is greatly appreciated.

Also, forgot to mention - I don’t get the alerts on another network that’s properly secured with the laptop in question.

When you reset the router did you do a hard reset i.e there is a small hole/button at the back of the router which needs to be pressed to reset to defaults

Yes. I did a 30-30-30 reset (Push small button and hold for 30 seconds, unplug while still holding, wait 30 more seconds, plug back in while still holding for 30 more seconds.) If I’ve understood correctly, that’s as complete a wipe as you can do on a router.

One thing I’m concerned about though, if there’s a trojan on one of my machines, it could well have gotten back to the router immediately after the reset.

This is the article I found on the topic: http://voices.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html

OK lets have a look at the computer

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
%systemdrive%$Recycle.Bin|@;true;true;true
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

THEN

Download aswMBR.exe ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://dl.dropbox.com/u/73555776/aswMBRscan.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://dl.dropbox.com/u/73555776/aswMBRlog.png

aswMBR wouldn’t run. I’ll try it in safe mode once I’m home. This is the first of the two files from OTL.

File #2.

Ran it in safe mode - No love, it still won’t finish.

Brett_2012

Essexboy is located in the UK so better to wait for an answer tomorrow. Night, night.

OK lets use another programme to look at the MBR

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

So I continued to work on this last night. It turns out it wasn’t a virus.

Here’s what happened:
A couple months ago we switched ISPs. I forgot to set up auto bill pay, and it looks like over the weekend my ISP blocked all outbound traffic and forced a redirect to their bill pay page. Apparently, that redirect set off the malicious URL warning on all of my machines, and since the page was blocked I couldn’t see what was going on.

I resolved the issue with my ISP, which in turn resolved the issue with Avast and all of my machines are humming along fine now.

Thanks so much for your assistance.

Not a problem, you gave me a little chuckle so it was a fair swop ;D

Run OTL and hit the cleanup button to remove it