Jump to content

Rich_Philp

Members
  • Content Count

    4
  • Joined

  • Last visited

About Rich_Philp

  • Rank
    New Member
  1. Hi Nasdaq, I just removed it, and set the Sonicwall up to do both internet and the phone line (SIP line). Easy enough to do, so we didn't need the Mikrotik at all in the end. As these routers have had this problem, I have lost faith in them, and glad we can do without it. Thank you, Rich
  2. Hi, The problem was the Mikrotek router pointed out another poster on another forum. Notes on how I diagnosed it below: I went back on site last night, plug the laptop directly into the router. Soon enough the popups came up. it is the Mikrotek router. thank you for your reply to the message, and pointing me to it. Mikrotek version is 4.39 so this is the patch just after the fix patch. The other odd thing, is that I can't manage it. It times out when trying to access it through HTTP and Winbox. Winbox finds it under neighbours, just cant connect. Thank you Rich
  3. FRST, Additon, and threat logs attached. FRST.txt Threat.txt Addition.txt
  4. Hi All, I'm new to these forums, so if this posted incorrectly, please feel free to move it. One of my Clients has been "infected" with a odd malware. The symptoms are: Sites that redirect to another site are effected. A Porn popup from i_Bongacash pops up a small window at the bottom right of the window featuring a unwanted video clip. Its a small box that allows you to close it. what else it does when closed, I'm not sure. I was able to reproduce this on one computer regularly. While it was up, I brought up the source code for the site, which also showed the source for the pop up as well. I was even able to watch as I refreshed the page, and the code appeared out of nowhere. The code is Javascript. The code first referenced bc-promo.com (or promo-bc.com). It then pulled down a small clip, from i_bongacash.com into the small window. I have the source, but wont post it here for obvious reasons. It must have come from one computer and spread. But as it doesn't seem to a virus or malware..... Things I have tried to find out what is causing this: Bitdefender, Webroot, Malwarebytes, hitmanpro. None of these programs found anything on the computers. Bitdefender is currently running on the server and one other machine. Server doesn't have any other AV or AM software running. Things I have done to workaround this: Added 4 different IP addresses to the Sonicwall block any traffic going to them. 3 addresses found by nslookup of i_bongacash.com, another one that Malwarebytes was blocking. Not sure if this has stopped it. If it has, then I need to find out how this happened or is happening. Very odd how some code can just be injected seemingly out of no where into a page. Its not an extension, not a program running in the background. if it was either, I would see a strangely named process running, and/or one of the above programs should have picked it up. Could it be the Sonicwall been infected and doing the injection? They also have a Microtek router that sites between the internet and the Sonicwall. I'm running out of ideas as to what to try. Has anyone come across anything like this? Its very odd, and hard to explain completely. Thank you, Rich
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.