Browser Hijacks (all 5 pcs on home network)

[RonChase]

Help,

I am having serious issues.

I will first describe the general issues as this might be a different problem all together.

I have 5 Computers (family members, laptops, etc that access internet, 2 are wired, 3 are wireless, Secure, WPA)

All 5 have the exact same problems.

All are XP home and Pro, completely updated.

Malwarebyte finds nothing on any of them. Malwarebytes wont update (MBAM_error_updating, 12007, 0, winhttpsendrequest)

3 are running MBAM dbversion 4052, vers 1.46. 2 I manualled updated rules.ref (still finds nothing)

All 5 pcs have hijacked browsers, about every 3 pages, i see it say waiting for rds.yahoo.com or waiting for google-analytics.com

Various AV programs find nothing, Norton, Avira, etc.

Here is the kicker, I just completely reinstalled XP Home yesterday, did nothing but install 80 updates, never browsed the internet, turned on windows firewall, just started surfing and I have the same problems as every computer in my house. Seen from another post to try Avira, just did, found nothing. This is truly frustrating. Any help would be greatly appreciated.

[yardbird]

you have a router, I think its been hi-jacked.... I'll be back with some help in a few.

[yardbird]

Ron! Can you do the following: post back & let us know please !!

We can release your IP address settings, flush the DNS resolver cache, then renew you IP address settings.

It will be easier and less error prone, if we create a batch file to do this... please follow these steps:

1. Copy/paste all text in the code box (below)...to Notepad. (Do not use a Word Processor or WordPad).
   
   
   ipconfig /release
   ipconfig /flushdns
   ipconfig /renew
   del %0

   @echo off

   
   
2. Save type as "All Files"
   
3. Save the Notepad file on your desktop...as DNSreset.bat..
   Note : The .bat extension is very important
   
4. Double click on DNSreset.bat to run it.
   Vista-Win7 users: Right click on DNSreset.bat, select "Run As Administrator" to run it.
   A black CMD window will flash, then disappear...this is normal. The batch file will be deleted when finished.
   The IP address settings should be released and renewed and the DNS cache flushed.

[RonChase]

you have a router, I think its been hi-jacked.... I'll be back with some help in a few.

Linksys wrt300n

Had password since day one.

Firmware Version: v0.93.9

[yardbird]

Ok look at my last post instructions, see if you can do that, while I find our IP man.....regards

[Haider]

Hello RonChase:

To completely isolate problem, connect one of them directly with modem using Ethernet cable and see if Internet works (meaning problem is for sure with router), then follow yardbird's instructions in Post #3

Later don't forget to change Admin login password for router and wireless encryption key

[RonChase]

Ok look at my last post instructions, see if you can do that, while I find our IP man.....regards

I just created the batch file, ran it, and I think it ran successfully.

Opened Explorer, went to yahoo.com, did a search, then the results.yahoo.com box appeared, and was redirected to

http://72.233.76.66/click?s=6e2ae4f2005910...mp;d=1288071464

So I guess this did not work.

Ron

As I am typing this, I see to isolate, so I am going to do that now.

[RonChase]

I just created the batch file, ran it, and I think it ran successfully.

Opened Explorer, went to yahoo.com, did a search, then the results.yahoo.com box appeared, and was redirected to

http://72.233.76.66/click?s=6e2ae4f2005910...mp;d=1288071464

So I guess this did not work.

Ron

As I am typing this, I see to isolate, so I am going to do that now.

NO luck! I just put this same pc with issues, directly on the cable modem, opened new explorer window, yahoo.com, did a search, and was redirected here... <frame src="http://onlinesearh.com/?2b642b607975763b6c727d74455502474d56564b495059"

So looks like it is not router, can the Cablemodem itself be compromised?

[noknojon]

Hi Ron -

At least Bing is a harmless search engine - Better than being directed to some sites you get - Please try this - Ask if you have any questions -

1. First: Disconnect your computer from the internet. (Log out)

2. Router Reset: Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).

3. Reset the IP/DNS settings of your interent connection:

Download this Microsoft Item and follow its directions

4. Flush the DNS cache:

• Go to Run Box or press Windows Key + R
  
• In the command window copy/paste the following:
  

  ipconfig /flushdns

  
  

• Then hit enter.
  
• Exit the command window.
  

5 Update: Try to update to the latest version of Malwarebytes

Thank You -

You can use the ADD REPLY Tab , under the QUOTE tab so the full last item is not repeated -

[RonChase]

Hi Ron -

At least Bing is a harmless search engine - Better than being directed to some sites you get - I have one other idea , just 1 min -

Not sure if I was supposed to do this, but I just ran the DNSreset.bat on the cablemodem, browsed to about 30 pages with no redirects.

Maybe that worked

I already changed router password, removed webadmin, etc.

Ron

[Haider]

Hello RonChase:

Please run the batch file on the computer directly connected to modem as per yardbird's instruction then try accessing Internet via Ethernet Cable directly plugged to modem, you've to do this exercise individually with each system

Please post back using button

[RonChase]

Not sure if I was supposed to do this, but I just ran the DNSreset.bat on the cablemodem, browsed to about 30 pages with no redirects.

Maybe that worked

I already changed router password, removed webadmin, etc.

Ron

I have not done the router reset, etc, but with the Flush of the Cablemodem, I did just try update Malware and it works.

So I think I will run like this today and tomorrow and see what happens.

Oh and I will become a paying Malware customer this payday

Ron

[noknojon]

GREAT - It has worked for you - We may have not added that you need to be direct wired as you run the item -

Happy result I hope -

Thank You -

[Haider]

Hello RonChase:

That would be nice to have a licensed version, however, please keep in mind one license is valid for lifetime for one and only one system

[RonChase]

GREAT - It has worked for you - We may have not added that you need to be direct wired as you run the item -

Happy result I hope -

Thank You -

Working on the second pc now, it looks like I need to run the .bat file with each computer direct wired to the cablemodem only.

Does this sound right?

[RonChase]

Working on the second pc now, it looks like I need to run the .bat file with each computer direct wired to the cablemodem only.

Does this sound right?

OK two for two!

Many thanks, I will fix the Laptops tomorrow.

[noknojon]

It may -

Are you still getting redirects on the others - If so then you may need to hook each one up and run them -

Thank You -

[yardbird]

Post back with any questions Ron! Update & run scans when your done... regards...

EDIT remember Post # 9 above can tell us why this went on....

[RonChase]

OK two for two!

Many thanks, I will fix the Laptops tomorrow.

Nope spoke too soon, second PC didnt fix, and now first PC has the exact same issues.

I did however go back to the router on both PCs, after fixing the first, and prior to fixing the second.

Should I stop using Linksys router until I direct connect and flush every PC?

[Haider]

Hello RonChase:

Yes please, each individual PC/laptop to fixed individually before taking all of them online

[noknojon]

Hi Ron -

The item also (basically) cleans the computer memory of the problem -

You can also try the second item I left if the first Flush item is not working 100% - That is why I got it for you -

Thank You -

[RonChase]

Post back with any questions Ron! Update & run scans when your done... regards...

EDIT remember Post # 9 above can tell us why this went on....

I followed everything in Post #9, and I am now 2 for 2 (the two wired pcs), I will try to fix laptops tomorrow by wiring them direct.

Here is log from PC1

reset SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation

old REG_MULTI_SZ =

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain

SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{4A984946-C72C-4B47-894D-F4DC96D5333A}\NetbiosOptions

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{8400078F-9FEE-4F93-A51E-5A1BDF0B118E}\NetbiosOptions

deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DC60BD9-4567-4F71-9DF5-85CA357B38FB}\DisableDynamicUpdate

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DC60BD9-4567-4F71-9DF5-85CA357B38FB}\IpAutoconfigurationAddress

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DC60BD9-4567-4F71-9DF5-85CA357B38FB}\IpAutoconfigurationMask

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DC60BD9-4567-4F71-9DF5-85CA357B38FB}\IpAutoconfigurationSeed

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DC60BD9-4567-4F71-9DF5-85CA357B38FB}\RawIpAllowedProtocols

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DC60BD9-4567-4F71-9DF5-85CA357B38FB}\TcpAllowedPorts

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DC60BD9-4567-4F71-9DF5-85CA357B38FB}\UdpAllowedPorts

old REG_MULTI_SZ =

0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ACCD8093-1A86-41E9-8419-C46E6517E230}\AddressType

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ACCD8093-1A86-41E9-8419-C46E6517E230}\DisableDynamicUpdate

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ACCD8093-1A86-41E9-8419-C46E6517E230}\RawIpAllowedProtocols

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ACCD8093-1A86-41E9-8419-C46E6517E230}\TcpAllowedPorts

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ACCD8093-1A86-41E9-8419-C46E6517E230}\UdpAllowedPorts

old REG_MULTI_SZ =

0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableIcmpRedirect

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution

reset Linkage\UpperBind for PCI\VEN_8086&DEV_1064&SUBSYS_4037107B&REV_03\4&5A988DE&0&40F0. bad value was:

REG_MULTI_SZ =

PSched

reset Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:

REG_MULTI_SZ =

PSched

<completed>

[RonChase]

Post back with any questions Ron! Update & run scans when your done... regards...

EDIT remember Post # 9 above can tell us why this went on....

Log from PC2

reset SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation

old REG_MULTI_SZ =

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain

SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

deleted SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\MaxCacheEntryTtlLimit

deleted SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\NegativeSoaCacheTime

deleted SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\NetFailureCacheTime

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{0BF7EA07-1653-4069-BA52-29D6E9637A37}\NetbiosOptions

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{CF44995D-FB5F-476E-9590-F208C9778C37}\NetbiosOptions

deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01DC74FD-F540-4E4C-98E6-D79C0BB64CA7}\AddressType

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01DC74FD-F540-4E4C-98E6-D79C0BB64CA7}\DisableDynamicUpdate

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01DC74FD-F540-4E4C-98E6-D79C0BB64CA7}\RawIpAllowedProtocols

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01DC74FD-F540-4E4C-98E6-D79C0BB64CA7}\TcpAllowedPorts

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01DC74FD-F540-4E4C-98E6-D79C0BB64CA7}\UdpAllowedPorts

old REG_MULTI_SZ =

0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{62088340-1DA7-4EB5-9FA4-72C42B684C33}\DisableDynamicUpdate

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{62088340-1DA7-4EB5-9FA4-72C42B684C33}\IpAutoconfigurationAddress

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{62088340-1DA7-4EB5-9FA4-72C42B684C33}\IpAutoconfigurationMask

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{62088340-1DA7-4EB5-9FA4-72C42B684C33}\IpAutoconfigurationSeed

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{62088340-1DA7-4EB5-9FA4-72C42B684C33}\RawIpAllowedProtocols

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{62088340-1DA7-4EB5-9FA4-72C42B684C33}\TcpAllowedPorts

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{62088340-1DA7-4EB5-9FA4-72C42B684C33}\UdpAllowedPorts

old REG_MULTI_SZ =

0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTtl

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableIcmpRedirect

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePmtuBhDetect

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePmtuDiscovery

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SackOpts

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Tcp1323Opts

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDupAcks

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpNumConnections

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution

reset SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider\Class

old REG_DWORD = 1

reset SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider\DnsPriority

old REG_DWORD = 7

reset SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider\HostsPriority

old REG_DWORD = 6

reset SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider\LocalPriority

old REG_DWORD = 5

reset SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider\NetbtPriority

old REG_DWORD = 8

reset Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:

REG_MULTI_SZ =

PSched

reset Linkage\UpperBind for PCI\VEN_10EC&DEV_8139&SUBSYS_2A0B103C&REV_10\4&23C0B1C&0&10F0. bad value was:

REG_MULTI_SZ =

PSched

<completed>

[yardbird]

Ron, did you see/miss post # 21 ??

[noknojon]

In post #9 the item in Blue is a M/soft item that may need to be run / followed -

It has a DIY or a Mr FixIt item there -